Traditionally it was very common for organizations to adopt an optimistic security model. Give everyone access to everything unless specifically denied access to sensitive areas, like HR or Finance. While this approach is generally regarded as more convenient for end users, it is less secure and leaves organizations more vulnerable than pessimistic security models. Pessimistic security models generally deny access to everything for everyone unless specifically granted access. While more secure, the pessimistic model tends to hamper collaboration and can be tedious to maintain properly. Early security models were very static and assigned permissions to individual users for individual systems or tasks. In large organizations such models become extremely difficult to administer.
Formalized in 1992 by David Ferraiolo and Rick Kuhn, Role Based Access Control (RBAC) has become one of the most widely used security models. RBAC grants access to systems or the ability to perform tasks based on roles. Roles are determined by job function, job responsibilities, job competency, authority within the organization, etc. There are essentially only three primary rules in an RBAC system.
- Role Assignment: users can only perform function(s) if they have been assigned a role.
- Role Authorization: users must be authorized for the role to which they are assigned.
- Permission Authorization: the specific function or permission must be authorized to the role.
Implementing an RBAC security model allows for more dynamic provisioning of security permissions while maintaining a high level of accountability and auditability. Users receive the rights and access necessary based on their assigned role without having to configure each individual system. RBAC can even be used to automate many business processes providing more efficiencies to your environment.
For more detailed and technical information on RBAC visit the recommended sites listed below.
National Institute of Standards and Technology