Role-based access control: in search of perfection

August 2002 Access Control & Identity Management

Role-based access control, or ‘RBAC’ as it is usually called, has become a popular new buzzword in security organisations. But so many ideas come and go; does this one have legs?

A bit of history is in order here. While it has become a hot topic over the past six months, RBAC has actually been around for a number of years, based on research by the US National Institute of Standards and Technology. Created to help organisations manage access rights for numerous users, RBAC operates under the principle that the roles people play in an organisation change less frequently than do the individuals occupying those roles. For example, the role of a bank teller has existed for decades but there is a high turnover of individual bank tellers. With a system based on RBAC, the roles imply the accesses a user needs with a company. Therefore, theory has it, managing the roles rather than the individuals, is a more effective approach towards automation.

High stakes

Why all the fuss over efficiently automating access rights? Actually, the stakes are quite high. According to IDC, 30-60% of active accounts on protected systems are orphans, that is, they cannot be associated with a valid user. Each of these 'orphan accounts' represents an open back door inviting hackers (or simply disgruntled former employees, partners or suppliers) to come in and wreak havoc on your system. To put it in dollar-and-cents terms, the average act of espionage from an insider costs an organisation about $2,7 million, according to the FBI.

The problem of orphan accounts has exploded because of the realities of IT security and network management in today's business climate. Because with mergers, layoffs and other changes, users come and go so frequently and new, access-controlled systems are constantly being rolled out, it has become enormously labour intensive to provision users with the access rights they need in a timely and controlled manner, and it has become even more expensive to keep track of these rights so that they can be suspended or deleted when the user no longer has need for them.

But RBAC is a theory, not a product. It defines an approach to represent roles and relations but not the instructions or tools to discover roles and make them useful. Today, a number of products utilise the concept of roles to assist in the access administration environment. ERP and portal initiatives often include some approach of using roles. Provisioning products and Web access control tools also include roles.

Which roles do you use, or want to use?

However, even though RBAC-based products are now available, your organisation may not be ready for them yet. The first step towards RBAC is analysing which roles you use, or want to use. It is necessary to put all your users (internal and external) into 'buckets' based on what they do. In practice, role-engineering is an experimental and expensive business analysis and results are mixed. Consulting companies offering 'role engineering' are quick to lend a hand if you do not have enough of your own, but this is still more of an art than a science. Many companies find they have nearly as many buckets, or roles, as they do users. Others have spent months only to throw up their hands after encountering political walls or running out of schedule.


The vacuum of products and processes to support the new science of role-engineering has drawn the interest of vendors and consultants. Role-mining tools are being proposed to discover hidden patterns of access rights that may imply a role. Standard roles are also being proposed. Because organisations operate differently and are already full of bad accounts, these approaches are expected to help only in limited situations.

If the results of the RBAC investment seem uncertain, you are right. But the problem is real, so what should you do? Be pragmatic about it. The reason you care about RBAC in the first place is to reduce administrative cost while improving your security and service quality. It turns out that the bang for the buck is not in this new theoretical approach but in solutions that are ready to give results now.

Provisioning systems have proven themselves to give large and visible benefits quickly by managing access rights across the entire enterprise. These systems offer concrete results and, if built flexibly, allow step-wise growth into RBAC when the time is right for your organisation. Provisioning systems offer:

* Password self-service to unload the help desk.

* Access rights accounting to track and enforce who has which accounts.

* They expose active accounts that should have been removed.

* Enforce and expedite approval processes with workflow to ensure proper authorisation.

These four functions have positive, visible impacts to your operations within just weeks of rollout.

The forward-thinking products also deliver 'policy-based provisioning,' which includes RBAC but with a practical bent. For instance, you might define a rule stating that any employee can get access to any system as long as their supervisor approves it. Adding other rules like 'The owner of the mainframe and ERP system must also approve access changes to these systems', would enhance security far above that achieved with typical manual approaches.

RBAC is not the first step in the solution, but is an emerging, powerful refinement to automated user provisioning. The first steps towards lower costs, better security and improved service lie not in optimised theories but in the concrete capabilities of provisioning systems available today.

For more information: Access360, 0944 148 354 9050

Infosecurity Europe took place from 23-25 April 2002, and is Europe's largest IT security event. The show featured a comprehensive range of free seminars and keynote sessions on the hottest information security topics as well as hosting the largest gathering of information security vendors and new products in Europe.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Managing staff effectively
September 2019, dormakaba South Africa, iPulse Systems , Integrated Solutions, Access Control & Identity Management
Workforce management solutions allow organisations to track the relationship between productivity and the cost of employment, incorporating issues such as health and safety, T&A, rostering and more.

Hennie Lategan joins Centurion as head of exports
September 2019, Centurion Systems , News, Access Control & Identity Management
Centurion Systems has announced the appointment of Hennie Lategan as the head of the company’s exports department.

New AlproMAX7 secures maximum rating
September 2019 , Access Control & Identity Management, Products
Alpro has launched a new range of ultra-secure mechanical mortice deadlocks, the AlproMAX7 which comply with BS EN 12209.

ViRDI UBio Tab 5
September 2019 , Access Control & Identity Management, Products
ViRDI Distribution SA (ViRDI Africa) has announced the release of its long-awaited UBio Tablet to the South African market.

Visitor access control at Ruimsig Country Club
September 2019, Elvey Security Technologies , Access Control & Identity Management, Products
Cost-effective access control solution that would control the ingress and egress of people, without hindering the traffic throughput of members.

Estate-focused visitor management solution
September 2019, Vox Telecom , Access Control & Identity Management, Residential Estate (Industry)
Vox has expanded its cloud-based visitor management solution to cater specifically for the needs of small multi-dwelling unit estates and large residential estates.

Biometrics control airport railroad
September 2019, Suprema , Access Control & Identity Management
63 km railroad to Incheon Airport is centrally controlled and secured by Suprema biometric hardware and software.

Dual energy X-ray inspection system
September 2019, Regal Distributors SA , Products, Access Control & Identity Management
The ZKX6550 X-ray inspection system increases the operator's ability to identify potential threats; the device is designed to scan briefcases, carry-on baggage, small cargo parcels.

ZKTeco parking barrier
September 2019, Regal Distributors SA , Products, Access Control & Identity Management
The PB3000 parking barrier is an ideal automatic car park barrier for parking lot and security control; it can easily integrate with revenue collection and access control systems.

ZKTeco automatic bollard
September 2019, Regal Distributors SA , Products, Access Control & Identity Management
The high-quality automatic bollard is used to protect security areas from vehicle intrusion; in case of power failure, the bollard can be lowered manually.