Find out what is role-based access control (RBAC)

What is Role-Based Access Control (RBAC)?

RBAC is an access control model. It allows you to restrict access to systems to authorized users only. RBAC accesses are managed based on the users’ roles. This new access management model comes in addition to other models such as DAC (Discretionary Access Control), MAC (Mandatory Access Control) and ABAC (Attribute-Based Access Control). We will see these models in more detail later on in the article. Nevertheless, RBAC is nowadays one of the most used models in companies, because it is more advantageous. Indeed, it is easier to manage a large number of people with RBAC.

Access Control in Companies

In the past, access was locked by keys or access cards. Nowadays, information systems are omnipresent, whether in our lives or in companies. It is therefore quite natural that the question of access controls has arisen. This is even more true in companies where certain resources need to be protected and only accessible to certain people. It is therefore necessary to set up an access control. This must be done in the most thoughtful way possible. Indeed, an access control that is too restrictive could jeopardize the continuity of activities. Conversely, too little control can jeopardize the confidentiality and security of data.

The use of RBAC is therefore a great solution to control these. In fact, in 2004, a study by the NIST (National Institute of Standards and Technology) showed that the RBAC model met the majority of needs for companies and organizations. This is why RBAC was transcribed into the NIST model to make it a standard. This standardization was pursued by the InterNational Committee for Information Technology Standards (INCITS) which is a standard development organization accredited by the American National Standards Institute (ANSI). The result was the ANSI/INCITS 359 standard in 2004. This document was republished as INCITS 359-2012, which has since been reaffirmed (INCITS 359-2012 [R2017]).

This model is therefore approved and still widely used. It grants access to users who need it, and removes it from those who do not.

RBAC, a Role-Based Method

RBAC is a role-based method rather than a user-based method. Rather than managing the rights of a single user at a time, administrators will instead manage a whole group of users with similar access needs. To modify the rights of one of these groups of users, they will just have to modify their role for the modifications to apply. The changes will then be effective for all users with that role. This avoids the need to change the permissions of each user individually.

To summarize, roles are groups of users with the same functions. They are managed by administrators who assign permissions to them. Finally, these permissions determine what a person can do, or cannot do, according to their role (permissions are related to a role).

In this model, users do not have personal permissions, but roles. Each role has its own permissions. To modify the rights of a user, it will be necessary to either change the role or modify the role assigned to them. In the second case, this means changing the permissions of all users with the same role.

Roles can then be based on several criteria. For example, they can be assigned according to the hierarchical level of the person (the manager will have more rights than a temporary employee for example). They can also be assigned according to their responsibilities, for example, a marketing manager may not have the same rights as a technical manager. Finally, they can be assigned according to the skill level of the people. An employee with 10 years of experience may have access to more work files than an employee with no experience.

Differences between roles and groups

The nuance between a group and a role may seem rather vague. To clarify this point, here is how Professor Ravi Sandhu defines these two concepts:

• A group is a collection of users. This group has permissions. These permissions apply to the users in the group.
• A role is a collection of permissions. These permissions apply to users who have this role.

Other methods of access control

DAC

Discretionary Access Control is a type of access control, defined by the Trusted Computer System Evaluation Criteria (TCSEC) as “means of limiting access to objects based on the identity of the subjects or groups to which they belong. The control is discretionary, as a subject with a certain access permission is able to pass that permission (perhaps indirectly) to any other subject (unless restricted by mandatory access control).”

For example: users of a social network can choose who accesses their data. It allows users to revoke or transfer privileges easily and immediately.

Some concepts defining DAC:

• A user can transfer his rights on an object to another user
• The access rights of other users can be determined by the user
• After several unsuccessful login attempts, a user may be blocked.
• Unauthorized users will not be able to see the characteristics of the object they are not authorized to see.

MAC

Mandatory Access Control is quite similar to DAC except that users cannot override or change the access security policy, either accidentally or intentionally.

In the previous example, social network users would not be able to change privileges if the administrator does not allow it, regardless of whether they own the information or not.

For example, Windows user access levels (guest, user or admin)

Some notions identifying the MAC:

• Use of MAC reduces system errors
• The MAC has a higher level of security than the DAC, because only the system administrator can view and make changes to permissions.
• The maintenance can only be done by the administrator, because he will be the only person who has access to the database. This can make maintenance more complex.

ABAC

This model supports Boolean logic, in which rules contain “IF, THEN” statements indicating who is making the request, the resource, and the action. 

For example: IF the requester is a manager, THEN allow read/write access to sensitive data.

or

IF it's daytime, THEN allow modification (in case no one is supposed to work at night)

The RBAC system, a win-win for businesses

Less complex: In case a new employee joins the company, it would be enough to assign him a role. No need to assign permissions manually and one by one.

Time saving: As previously mentioned in the case of a change or a newcomer, a simple assignment of roles and that's it.

Less maintenance: In the case of a change in the security policy, rather than having to modify all the people one by one, it is enough to modify their role or to assign them a new one. It is possible to change the permissions of several people at once. This is especially useful when you have thousands of employees.

Reduced cost: All of the above parameters reduce the cost of management.

Conclusion

RBAC is a very practical tool for managing identities, access rights, authorizations, etc. It can be used in all types of companies and its use is highly recommended. As previously mentioned, it is recommended by NIST and ANSI in the United States. ABAC is an alternative or can be a complement to RBAC, as it is a method of assigning permissions that offers some granularity. Thinking about improving your access management? You can use our solutions and enjoy the benefits of RBAC & ABAC.

As you may have heard in a famous movie “I'll be r-bac”! We’ll let you guess which movie it was.

So ready to learn more about RBAC? We tell you more at Cryptr.