What Is Role-Based Access Control (RBAC)?
Role-based access control (RBAC) is the concept of securely managing access by assigning and restricting user access based on clearly established roles. Organizations rely on RBAC to put solid, pre-defined, and pre-approved access policies in place that identify which access privileges each user needs and which access to grant or remove.
Roles within an organization consist of a collection of access rights on one or several applications that are grouped together because they are often assigned to the same types of users. When roles are defined, organizations can efficiently assign rights in a simplified, automated fashion. These access privileges can be cross-system, cross-platform, or cross-application, and they can exist on premise, in the cloud, or both.
RBAC relies on these roles to identify and group common access privileges together, so they can be easily used to mitigate identity-related access risks and improve efficiencies across the business.
Role-based access control is freqently used in conjunction with the principle of least privilege, where the roles defined will only include the least level of access needed to complete the necessary job tasks or requirements.
How Does Role-Based Access Control Work?
For organizations seeking to adopt role-based access control, there are two basic approaches for designing roles—a top-down approach and a bottom-up approach. These are very different approaches to role design and typically a combination of both is needed for RBAC. However, employing a bottom-up approach, with appropriate guidance from intelligent methodologies used by leading RBAC solutions, enables organizations to tackle the levels of access users already have within the business and start from there.
Top-Down Approach
Designing roles with a top-down approach means asking managers, business leaders, or application owners in the organization what access they think each role should have. This approach relies heavily on input from upper-level stakeholders and is potentially more aspirational than practical, and can lead to underprovisioning, where the resulting roles contain less access than is needed to get the job done.
Bottom-Up Approach
A bottom-up approach takes a more pragmatic view in looking at the access users already have and analyzes the data intelligently to build the roles. This method reviews access levels people currently have from the ‘model users’ and then fine-tunes them to define what roles should look like—tailored for the needs of the business. The collection of model users that results in the best roles are those that have been around just enough to acquire only the access they genuinely need to get the job done.
RBAC vs. ABAC
Role-based access control (RBAC) and attribute-based access control (ABAC) are two different approaches for defining and authenticating user access. RBAC relies on pre-established roles to manage user access, while ABAC authorizes access based on attributes. These attributes or characteristics can include the individual requesting access, the specific network, platform or resource requested, the action the user will take with the access, and the context or situation in which the access is requested.
While RBAC enables organizations to apply a broader level of access control across role types, ABAC typically can offer more granularity of users within a specific user type. Role-based access control is the more common and widely adopted methodology for controlling user access because it typically takes less time and is less complex. But because ABAC creates access based on specific attributes, it can enhance access security and scale more easily for the largest enterprise organizations.
What Is User Provisioning and Deprovisioning?
Provisioning and deprovisioning are the policy-driven processes of granting, managing, changing, or removing user access to resources, applications, networks, or platforms within an organization. The time and resources required to manually provision and deprovision user accounts—and to ensure appropriate levels of access are given to the right users—has contributed significantly to the demand for automated account provisioning and deprovisioning.
Automating Provisioning and Deprovisioning with RBAC
Automating user provisioning and deprovisioning should start with the user’s first relationship with the organization as a job applicant or employee, and conclude with the user separating from the organization. In between these events are multiple changes, and access requirements that must be closely managed.
Automating user provisioning and deprovisioning should start with the user’s first relationship with the organization as a job applicant or employee, and conclude with the user separating from the organization. In between these events are multiple changes, and access requirements that must be closely managed.
Within the user lifecycle, onboarding is typically the first step, where a new employee receives initial accounts and access to the appropriate systems and applications. Within the RBAC framework, these are already defined based on pre-established role assignments. The last part of the user lifecycle is when an employee leaves the organization, either voluntarily or through termination. For the latter, accounts should be quickly and automatically deprovisioned, preventing any opportunity for employees to retain access to data upon their departure from the organization.
Within the user lifecycle, onboarding is typically the first step, where a new employee receives initial accounts and access to the appropriate systems and applications. Within the RBAC framework, these are already defined based on pre-established role assignments. The last part of the user lifecycle is when an employee leaves the organization, either voluntarily or through termination. For the latter, accounts should be quickly and automatically deprovisioned, preventing any opportunity for employees to retain access to data upon their departure from the organization.
Automating these processes around the user lifecycle enables employees to be productive right away rather than waiting around for access. It also decreases reliance on IT resources and increases security by reducing risk associated with manual provisioning mistakes. This is where a role-based approach to developing these access policies often works best. RBAC supports automated provisioning by creating an authoritative source to create base access for new users. It also provides clear direction and an authoritative source for removing user access when deprovisioning accounts.
Automating these processes around the user lifecycle enables employees to be productive right away rather than waiting around for access. It also decreases reliance on IT resources and increases security by reducing risk associated with manual provisioning mistakes. This is where a role-based approach to developing these access policies often works best. RBAC supports automated provisioning by creating an authoritative source to create base access for new users. It also provides clear direction and an authoritative source for removing user access when deprovisioning accounts.
Advantages of Using a Role-Based Access Control Approach
When you add up all the access that users need across enterprise applications and platforms, leveraging RBAC enables you to streamline and easily categorize access across your enterprise. This simplifies access management and effectively keeps pace with the evolving access requirements of users. Leveraging RBAC also enables organizations to:
Go from a manual, error-prone process to a strategic, automated approach
Give users access to what they need to perform their job—and nothing more
Enforce the principle of least privilege and establish consistent access policies
Create roles for systems without dependency on integrations for obscure applications
Gain deep insights about people and their access across the organization
Focus on role definitions and role assignments rather than on individual accounts
Keep up with changing access requirements as the business grows or changes
Safeguard critical data, systems, and assets
Stay compliant with industry standards and government regulations
Reduce identity-related access risks and improve overall security posture
Get Control of Your Roles with Core Security
Learn how the right identity solutions can help you manage identity risk in your organization.