In Role-Based Access Control, roles are an intermediate layer between users and the permissions to execute certain operations.
Operations can be well-formed transactions with built-in integrity checks that actually mediate the access to protected objects or resources. Then, users are assigned roles and are made authorised to execute the operations linked to their active role.
RBAC are based on underlying concept of 'Separation of Duties'.
Separation of Duties (SoD) refers to policies that stop single users from becoming too powerful. Examples for SoD are:
-
rules stating that more than one user must be involved to complete some transaction,
-
rules stating that a user permitted to perform one set of transactions is not permitted to perform some other set of transactions,
-
the separation between front office and back office in financial trading firms is an example, or
-
rules stating that policy administrators may not assign permissions to themselves.
Static SoD rules are considered during user-role assignment, dynamic SoD must be enforced when a role is activated.
The NISTRBAC model distinguishes between:
• Flat RBAC: users are assigned to roles and roles to permissions to operations; users get permissions to execute procedures via role membership; user-role reviews are supported.
• Hierarchical RBAC: adds support for role hierarchies.
• Constrained RBAC: adds separation of duties.
• Symmetric RBAC: adds support for permission-role reviews, which may be difficult to achieve in large distributed systems.
Many commercial systems support some flavor of role-based access control, without necessarily adhering to the formal specifications of RBAC published in the research literature. RBAC is an elegant and intuitive concept, but may become quite messy in deployment as well.
Practitioners note that RBAC works as long as every user has only one role, or that “the enormous effort required for designing the role structure and populating role data” constitutes an inhibitor for RBAC.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM