Role-based access control: in search of perfection

August 2002 Access Control & Identity Management

Role-based access control, or ‘RBAC’ as it is usually called, has become a popular new buzzword in security organisations. But so many ideas come and go; does this one have legs?

A bit of history is in order here. While it has become a hot topic over the past six months, RBAC has actually been around for a number of years, based on research by the US National Institute of Standards and Technology. Created to help organisations manage access rights for numerous users, RBAC operates under the principle that the roles people play in an organisation change less frequently than do the individuals occupying those roles. For example, the role of a bank teller has existed for decades but there is a high turnover of individual bank tellers. With a system based on RBAC, the roles imply the accesses a user needs with a company. Therefore, theory has it, managing the roles rather than the individuals, is a more effective approach towards automation.

High stakes

Why all the fuss over efficiently automating access rights? Actually, the stakes are quite high. According to IDC, 30-60% of active accounts on protected systems are orphans, that is, they cannot be associated with a valid user. Each of these 'orphan accounts' represents an open back door inviting hackers (or simply disgruntled former employees, partners or suppliers) to come in and wreak havoc on your system. To put it in dollar-and-cents terms, the average act of espionage from an insider costs an organisation about $2,7 million, according to the FBI.

The problem of orphan accounts has exploded because of the realities of IT security and network management in today's business climate. Because with mergers, layoffs and other changes, users come and go so frequently and new, access-controlled systems are constantly being rolled out, it has become enormously labour intensive to provision users with the access rights they need in a timely and controlled manner, and it has become even more expensive to keep track of these rights so that they can be suspended or deleted when the user no longer has need for them.

But RBAC is a theory, not a product. It defines an approach to represent roles and relations but not the instructions or tools to discover roles and make them useful. Today, a number of products utilise the concept of roles to assist in the access administration environment. ERP and portal initiatives often include some approach of using roles. Provisioning products and Web access control tools also include roles.

Which roles do you use, or want to use?

However, even though RBAC-based products are now available, your organisation may not be ready for them yet. The first step towards RBAC is analysing which roles you use, or want to use. It is necessary to put all your users (internal and external) into 'buckets' based on what they do. In practice, role-engineering is an experimental and expensive business analysis and results are mixed. Consulting companies offering 'role engineering' are quick to lend a hand if you do not have enough of your own, but this is still more of an art than a science. Many companies find they have nearly as many buckets, or roles, as they do users. Others have spent months only to throw up their hands after encountering political walls or running out of schedule.


The vacuum of products and processes to support the new science of role-engineering has drawn the interest of vendors and consultants. Role-mining tools are being proposed to discover hidden patterns of access rights that may imply a role. Standard roles are also being proposed. Because organisations operate differently and are already full of bad accounts, these approaches are expected to help only in limited situations.

If the results of the RBAC investment seem uncertain, you are right. But the problem is real, so what should you do? Be pragmatic about it. The reason you care about RBAC in the first place is to reduce administrative cost while improving your security and service quality. It turns out that the bang for the buck is not in this new theoretical approach but in solutions that are ready to give results now.

Provisioning systems have proven themselves to give large and visible benefits quickly by managing access rights across the entire enterprise. These systems offer concrete results and, if built flexibly, allow step-wise growth into RBAC when the time is right for your organisation. Provisioning systems offer:

* Password self-service to unload the help desk.

* Access rights accounting to track and enforce who has which accounts.

* They expose active accounts that should have been removed.

* Enforce and expedite approval processes with workflow to ensure proper authorisation.

These four functions have positive, visible impacts to your operations within just weeks of rollout.

The forward-thinking products also deliver 'policy-based provisioning,' which includes RBAC but with a practical bent. For instance, you might define a rule stating that any employee can get access to any system as long as their supervisor approves it. Adding other rules like 'The owner of the mainframe and ERP system must also approve access changes to these systems', would enhance security far above that achieved with typical manual approaches.

RBAC is not the first step in the solution, but is an emerging, powerful refinement to automated user provisioning. The first steps towards lower costs, better security and improved service lie not in optimised theories but in the concrete capabilities of provisioning systems available today.

For more information: Access360, 0944 148 354 9050

Infosecurity Europe took place from 23-25 April 2002, and is Europe's largest IT security event. The show featured a comprehensive range of free seminars and keynote sessions on the hottest information security topics as well as hosting the largest gathering of information security vendors and new products in Europe.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

A contact-free hotel experience
Issue 7 2020, Technews Publishing , Access Control & Identity Management
Check-in and go straight to your room without stopping at the reception desk at Hotel Sky in Sandton and Cape Town.

AI digitises coronavirus management
Issue 7 2020, NEC XON , Access Control & Identity Management
NEC XON is using NeoFace Watch and specialised thermography cameras to measure temperature and identify employees and visitors.

Combining visual and IR face recognition
Issue 7 2020, Suprema , Access Control & Identity Management
The FaceStation F2 offers face recognition and anti-spoofing performance.

Anviz unveils FaceDeep5
Issue 7 2020, ANVIZ SA , Access Control & Identity Management
Anviz Global has unveiled its new touchless facial recognition identity management and IoT biometric device.

Touchless biometric options
Issue 6 2020, Entry Pro , Access Control & Identity Management
When it comes to estate access control management, the foremost topic of conversation at the moment seems to be the importance of touchless biometrics.

Fast access to Kevro production facilities
Issue 6 2020, Turnstar Systems , Access Control & Identity Management
Employee and visitor access at Kevro’s Linbro Park premises in Gauteng is controlled through eight Dynamic Drop Arm Barriers from Turnstar.

Know your facial recognition temperature scanner
Issue 6 2020, ViRDI Distribution SA , Access Control & Identity Management
Facial recognition with temperature measurement is, for the most part, available in one of two technologies – thermopile and thermography/IRT.

Suprema integrates with Paxton’s Net2 access control
Issue 6 2020, Suprema , Access Control & Identity Management
Suprema has announced it has integrated its devices with Paxton’s access control system, Net2.

Contactless check-in at hotels
Issue 6 2020 , Access Control & Identity Management
Onity has delivered the DirectKey mobile access solution to hotel chains around the globe, which allows for contactless check-in and property access.

UFace facial recognition now in SA
Issue 6 2020, Trac-Tech , Access Control & Identity Management
Trac-Tech has secured the distribution rights to the UFace range of contactless biometric facial recognition and identity management IoT devices.