Role-based access control: in search of perfection

August 2002 Access Control & Identity Management

Role-based access control, or ‘RBAC’ as it is usually called, has become a popular new buzzword in security organisations. But so many ideas come and go; does this one have legs?

A bit of history is in order here. While it has become a hot topic over the past six months, RBAC has actually been around for a number of years, based on research by the US National Institute of Standards and Technology. Created to help organisations manage access rights for numerous users, RBAC operates under the principle that the roles people play in an organisation change less frequently than do the individuals occupying those roles. For example, the role of a bank teller has existed for decades but there is a high turnover of individual bank tellers. With a system based on RBAC, the roles imply the accesses a user needs with a company. Therefore, theory has it, managing the roles rather than the individuals, is a more effective approach towards automation.

High stakes

Why all the fuss over efficiently automating access rights? Actually, the stakes are quite high. According to IDC, 30-60% of active accounts on protected systems are orphans, that is, they cannot be associated with a valid user. Each of these 'orphan accounts' represents an open back door inviting hackers (or simply disgruntled former employees, partners or suppliers) to come in and wreak havoc on your system. To put it in dollar-and-cents terms, the average act of espionage from an insider costs an organisation about $2,7 million, according to the FBI.

The problem of orphan accounts has exploded because of the realities of IT security and network management in today's business climate. Because with mergers, layoffs and other changes, users come and go so frequently and new, access-controlled systems are constantly being rolled out, it has become enormously labour intensive to provision users with the access rights they need in a timely and controlled manner, and it has become even more expensive to keep track of these rights so that they can be suspended or deleted when the user no longer has need for them.

But RBAC is a theory, not a product. It defines an approach to represent roles and relations but not the instructions or tools to discover roles and make them useful. Today, a number of products utilise the concept of roles to assist in the access administration environment. ERP and portal initiatives often include some approach of using roles. Provisioning products and Web access control tools also include roles.

Which roles do you use, or want to use?

However, even though RBAC-based products are now available, your organisation may not be ready for them yet. The first step towards RBAC is analysing which roles you use, or want to use. It is necessary to put all your users (internal and external) into 'buckets' based on what they do. In practice, role-engineering is an experimental and expensive business analysis and results are mixed. Consulting companies offering 'role engineering' are quick to lend a hand if you do not have enough of your own, but this is still more of an art than a science. Many companies find they have nearly as many buckets, or roles, as they do users. Others have spent months only to throw up their hands after encountering political walls or running out of schedule.


The vacuum of products and processes to support the new science of role-engineering has drawn the interest of vendors and consultants. Role-mining tools are being proposed to discover hidden patterns of access rights that may imply a role. Standard roles are also being proposed. Because organisations operate differently and are already full of bad accounts, these approaches are expected to help only in limited situations.

If the results of the RBAC investment seem uncertain, you are right. But the problem is real, so what should you do? Be pragmatic about it. The reason you care about RBAC in the first place is to reduce administrative cost while improving your security and service quality. It turns out that the bang for the buck is not in this new theoretical approach but in solutions that are ready to give results now.

Provisioning systems have proven themselves to give large and visible benefits quickly by managing access rights across the entire enterprise. These systems offer concrete results and, if built flexibly, allow step-wise growth into RBAC when the time is right for your organisation. Provisioning systems offer:

* Password self-service to unload the help desk.

* Access rights accounting to track and enforce who has which accounts.

* They expose active accounts that should have been removed.

* Enforce and expedite approval processes with workflow to ensure proper authorisation.

These four functions have positive, visible impacts to your operations within just weeks of rollout.

The forward-thinking products also deliver 'policy-based provisioning,' which includes RBAC but with a practical bent. For instance, you might define a rule stating that any employee can get access to any system as long as their supervisor approves it. Adding other rules like 'The owner of the mainframe and ERP system must also approve access changes to these systems', would enhance security far above that achieved with typical manual approaches.

RBAC is not the first step in the solution, but is an emerging, powerful refinement to automated user provisioning. The first steps towards lower costs, better security and improved service lie not in optimised theories but in the concrete capabilities of provisioning systems available today.

For more information: Access360, 0944 148 354 9050

Infosecurity Europe took place from 23-25 April 2002, and is Europe's largest IT security event. The show featured a comprehensive range of free seminars and keynote sessions on the hottest information security topics as well as hosting the largest gathering of information security vendors and new products in Europe.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Enhanced biometric technology for mines
September 2019, ZKTeco , Mining (Industry), Access Control & Identity Management
Biometric identification and authentication are currently used at various mines in South Africa and in the SADC region.

Improving access in mines
October 2019, Astra Fasteners , Mining (Industry), Access Control & Identity Management, Products
The VP1 controller provides full access control and remote monitoring of intelligent locks without having to wire into a network or install, manage and maintain software.

Invixium and Pyro-Tech partner in South Africa
October 2019 , News, Access Control & Identity Management
Invixium, a manufacturer of IP-based biometric solutions and Pyro-Tech Security Suppliers have announced a new distribution partnership.

Suprema receives FBI PIV/FAP30 certification
October 2019, Suprema , News, Access Control & Identity Management
Suprema has announced that the company's BioMini Slim 3 has received FBI PIV (Personal Identity Verification) and Mobile ID FAP30 certification.

Frictionless access with a wave
October 2019, IDEMIA , Access Control & Identity Management, Residential Estate (Industry)
IDEMIA was the Platinum Sponsor for the Residential Estate Security Conference 2019 and set up its MorphoWave Compact frictionless fingerprint biometric scanner at the entrance to the conference.

Streamlined access and reporting
October 2019, Comb Communications , Access Control & Identity Management, Residential Estate (Industry)
The main focus of the Comb stand was its practical demonstration of the MK II Lite intercom system with third-party integrated products.

Customised and integrated solutions
October 2019, Suprema , Access Control & Identity Management, Residential Estate (Industry)
iVisit offers both high-end and low-end residential complexes a cost-effective visitor management solution that is fully integrated into Suprema's offerings.

Access solutions for every estate
October 2019, Impro Technologies , Access Control & Identity Management, Residential Estate (Industry)
Impro's flagship Access Portal solution comprises one of the most user-friendly software solutions on the market.

SALTO achieves Environmental Product Declaration (EPD)
October 2019, Salto Systems Africa , News, Access Control & Identity Management
SALTO Systems has announced that it has received the first Environmental Product Declaration (EPD) for XS4 smart locking solutions, including the XS4 Original model for the European and Scandinavian standard ...

Managing staff effectively
September 2019, dormakaba South Africa, iPulse Systems , Integrated Solutions, Access Control & Identity Management
Workforce management solutions allow organisations to track the relationship between productivity and the cost of employment, incorporating issues such as health and safety, T&A, rostering and more.