Role-Based Access Control: Why It Delivers a Modern Approach for Managing Access

Relying on outdated methods to manage user access is both a constant struggle and a persistent risk to your business. Manually keeping track of users and entitlements is costly, time-consuming, and daunting. But with a modern role-based approach, you can embrace a smarter, simpler, more secure way to manage user access.

In this blog, we will define role-based access control (RBAC), explore why it is critical, and examine common types of roles used within organizations today. We will also highlight two common approaches in establishing and designing roles for your business as an effective way to enforce least privilege access, and safeguard your critical data, systems, and platforms.

What Is Role-Based Access Control (RBAC)?

Role-based access control is the concept of securely managing access by assigning and restricting that access based on clearly established roles. Using roles, organizations can have solid, pre-defined, and pre-approved access policies in place to identify which access privileges each user needs and which access to grant or remove. Sometimes referred to as role-based access or role-based security, RBAC relies on roles to identify and group common access privileges together, so they can be easily used to mitigate identity-related access risks and improve efficiencies across the business. In most cases, RBAC is used in conjunction with the principle of least privilege, where the roles defined will only include the least level of access needed to complete the necessary job tasks or requirements.

Think of a role as a collection of access privileges typically defined around a job title or job function. These access privileges can be cross-system, cross-platform, or cross-application, and they can exist on premise, on cloud, or both. When you add up all the access that users need across enterprise applications and platforms like Azure, Active Directory, SAP, Oracle, Salesforce, and countless others, leveraging role-based access control enables you to streamline and categorize all of this access across your entire enterprise into roles. This simplifies access management and effectively keeps pace with the evolving access requirements of your users.

Why Is RBAC Essential Today?

Within the construct of role-based access control, roles keep your organization more secure by only giving users access to what they need to perform their job—and nothing more. Using roles helps enforce the principle of least privilege and helps establish consistent access policies where access privileges are defined ahead of time. Roles also simplify identity governance as your business grows or changes—from changes across the user lifecycle, like onboarding or offboarding, to provisioning seasonal, contract or temporary workers, to institutional changes like mergers and acquisitions. Finally, leveraging roles increases efficiencies across the organization because it enables more efficient and accurate access reviews, while reducing certification fatigue of application owners and managers. Essentially, an organization will proactively spend time up front to define the roles, and then regularly assign those roles or review access against them.

According to the Identity and Access Management Report, 62 percent of organizations ranked role-based access as one of the most important IAM capabilities in their organization. But only 54 percent are only somewhat confident in their ability to design roles. Clearly, a framework for understanding and establishing roles needs to be more firmly rooted within companies today. With this in mind, let’s take a look at common role types that are most effective for establishing role-based access control.  

What Are Common Role Types?

When most people think of roles, they typically revolve around a job level. And while this is one of the most common types, we will examine how organizations today typically structure their roles.

• Job Level: Defining roles based on job function is a well-established method for defining the types of access needed to perform the duties of that specific job level. For example, a junior accountant will receive access privileges to certain applications, but may be restricted from performing other duties within those applications or on other platforms.
• Departmental: This type of role defines a higher-level grouping based on department level. For example, this could include providing role-based access on behalf of a department to a certain printer or to specific file shares.
• Organizational Tier: Another way to define roles is based on organizational tier. These types of roles are typically cross-departmental, and can include similar types of tiers within the business. For example, managers may need access to an employee review system or executives may need access to a reporting dashboard. 
• Geographical: When roles are defined geographically, they are based on a certain locale. This can be access for a certain region of the country, to certain offices within a city, or as granular as access to a particular floor in a building.
• Application: Roles that are defined at an application level are typically defined for users who have a specific need to access the software application or platform for their job. An example of this is when a salesperson needs access to Salesforce or to a specific CRM to track opportunities or client interactions.

What Are the Leading Approaches to Role Design?

For organizations seeking to adopt role-based access control and better enforce least privilege access, there are two basic approaches to designing roles—a top-down approach and a bottom-up approach. While both of these are valid, typically bottom-up is the most widely used method, followed by a hybrid approach that involves some combination of the two. 

• Top-Down Approach: Designing roles with a top-down approach means asking managers, business leaders, or application owners in the organization what access they think each role should have. This is a hierarchical approach that relies heavily on input from upper-level stakeholders and is potentially more aspirational than practical. Following a top-down approach exclusively can result in underprovisioning, where the resulting roles contain less access than is needed to get the job done. Although it may be corrected over time, the role may not have enough required access because managers, business leaders, or application owners may inadvertently leave necessary access out of the initial role definition.
   
• Bottom-Up Approach: A bottom-up approach takes a more pragmatic view in looking at the access users already have and analyzes that data intelligently to build the roles. In other words, this method reviews access levels people currently have from the ‘model users’ and then fine-tunes them to define what roles should look like—tailored for the needs of the business. Without proper guidance, following only a bottom-up approach can sometimes result in over provisioning, where the resulting roles contain more access than is needed to get the job done. This is most likely the case where the numbers of model users are too few and may have had access accumulated over time. Model users are not the longest or the shortest tenured people in the organization. Long-tenured employees may have accumulated unnecessary access over time, while newer users may not have enough access. Instead, the collection of model users that results in the best roles are those that have been around ‘just enough’ to acquire only the access they genuinely need to get the job done.

These are very different approaches to role design. And as you can see, a combination of both is needed when conducting a role-designing exercise. But using a bottom-up approach, with the appropriate guidance of the intelligent methodology, enables organizations to tackle the levels of access users already have within the business and start from there.

You may still want to show the roles to managers and executives, and circulate them throughout the organization, but starting with a bottom-up approach can help you get your arms around the access that already exists in your organization.