Role-based access control: in search of perfection

August 2002 Access Control & Identity Management

Role-based access control, or ‘RBAC’ as it is usually called, has become a popular new buzzword in security organisations. But so many ideas come and go; does this one have legs?

A bit of history is in order here. While it has become a hot topic over the past six months, RBAC has actually been around for a number of years, based on research by the US National Institute of Standards and Technology. Created to help organisations manage access rights for numerous users, RBAC operates under the principle that the roles people play in an organisation change less frequently than do the individuals occupying those roles. For example, the role of a bank teller has existed for decades but there is a high turnover of individual bank tellers. With a system based on RBAC, the roles imply the accesses a user needs with a company. Therefore, theory has it, managing the roles rather than the individuals, is a more effective approach towards automation.

High stakes

Why all the fuss over efficiently automating access rights? Actually, the stakes are quite high. According to IDC, 30-60% of active accounts on protected systems are orphans, that is, they cannot be associated with a valid user. Each of these 'orphan accounts' represents an open back door inviting hackers (or simply disgruntled former employees, partners or suppliers) to come in and wreak havoc on your system. To put it in dollar-and-cents terms, the average act of espionage from an insider costs an organisation about $2,7 million, according to the FBI.

The problem of orphan accounts has exploded because of the realities of IT security and network management in today's business climate. Because with mergers, layoffs and other changes, users come and go so frequently and new, access-controlled systems are constantly being rolled out, it has become enormously labour intensive to provision users with the access rights they need in a timely and controlled manner, and it has become even more expensive to keep track of these rights so that they can be suspended or deleted when the user no longer has need for them.

But RBAC is a theory, not a product. It defines an approach to represent roles and relations but not the instructions or tools to discover roles and make them useful. Today, a number of products utilise the concept of roles to assist in the access administration environment. ERP and portal initiatives often include some approach of using roles. Provisioning products and Web access control tools also include roles.

Which roles do you use, or want to use?

However, even though RBAC-based products are now available, your organisation may not be ready for them yet. The first step towards RBAC is analysing which roles you use, or want to use. It is necessary to put all your users (internal and external) into 'buckets' based on what they do. In practice, role-engineering is an experimental and expensive business analysis and results are mixed. Consulting companies offering 'role engineering' are quick to lend a hand if you do not have enough of your own, but this is still more of an art than a science. Many companies find they have nearly as many buckets, or roles, as they do users. Others have spent months only to throw up their hands after encountering political walls or running out of schedule.


The vacuum of products and processes to support the new science of role-engineering has drawn the interest of vendors and consultants. Role-mining tools are being proposed to discover hidden patterns of access rights that may imply a role. Standard roles are also being proposed. Because organisations operate differently and are already full of bad accounts, these approaches are expected to help only in limited situations.

If the results of the RBAC investment seem uncertain, you are right. But the problem is real, so what should you do? Be pragmatic about it. The reason you care about RBAC in the first place is to reduce administrative cost while improving your security and service quality. It turns out that the bang for the buck is not in this new theoretical approach but in solutions that are ready to give results now.

Provisioning systems have proven themselves to give large and visible benefits quickly by managing access rights across the entire enterprise. These systems offer concrete results and, if built flexibly, allow step-wise growth into RBAC when the time is right for your organisation. Provisioning systems offer:

* Password self-service to unload the help desk.

* Access rights accounting to track and enforce who has which accounts.

* They expose active accounts that should have been removed.

* Enforce and expedite approval processes with workflow to ensure proper authorisation.

These four functions have positive, visible impacts to your operations within just weeks of rollout.

The forward-thinking products also deliver 'policy-based provisioning,' which includes RBAC but with a practical bent. For instance, you might define a rule stating that any employee can get access to any system as long as their supervisor approves it. Adding other rules like 'The owner of the mainframe and ERP system must also approve access changes to these systems', would enhance security far above that achieved with typical manual approaches.

RBAC is not the first step in the solution, but is an emerging, powerful refinement to automated user provisioning. The first steps towards lower costs, better security and improved service lie not in optimised theories but in the concrete capabilities of provisioning systems available today.

For more information: Access360, 0944 148 354 9050

Infosecurity Europe took place from 23-25 April 2002, and is Europe's largest IT security event. The show featured a comprehensive range of free seminars and keynote sessions on the hottest information security topics as well as hosting the largest gathering of information security vendors and new products in Europe.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Simple steps to protect yourself against identity theft
November 2019 , Access Control & Identity Management
Are you doing enough to reduce the risk of having your identity stolen?

Looking ahead with mobile access technologies
Access & Identity Management Handbook 2020, Technews Publishing, HID Global, dormakaba South Africa, Salto Systems Africa, Suprema, Gallagher , Access Control & Identity Management, Integrated Solutions
Given the broad use of smartphones around the world and the numerous technologies packed into these devices, it was only a matter of time before the access control industry developed technology that would ...

Mobile access is more secure than card systems
Access & Identity Management Handbook 2020 , Access Control & Identity Management
The ability to use mobile phones as access credentials is one of the biggest trends in a market that historically has been slow in adopting new technology.

This is the future. This is what we do.
Access & Identity Management Handbook 2020, ZKTeco , Access Control & Identity Management
ZKTeco has created a unique range of visible light facial recognition products combined with a flexible Android platform.

The security of biometrics
Access & Identity Management Handbook 2020, ViRDI Distribution SA, IDEMIA , Technews Publishing, Suprema , Access Control & Identity Management
Hi-Tech Security Solutions asks whether your personal biometric data is safe from prying eyes.

A picture spoofs a thousand cameras
Access & Identity Management Handbook 2020, NEC XON, Hikvision South Africa, Technews Publishing , Access Control & Identity Management
Hi-Tech Security Solutions looks into the reliability and effectiveness of facial biometrics as well as the concerns about privacy.

IoT and behavioural authentication
Access & Identity Management Handbook 2020, CA Southern Africa , Access Control & Identity Management
IoT represents an increasing security risk to individuals in the form of pervasive, always-on monitoring of your personal activity with a potential compromise of your most personal security credentials.

Border crossing and national identification
Access & Identity Management Handbook 2020 , Access Control & Identity Management
Amidst a choice of technologies, diversity of policy frameworks, and emergent priorities, countries that intend to upgrade their identification systems today find themselves drawn into a complex vortex.

T&A by biometrics in the cloud
Access & Identity Management Handbook 2020 , Access Control & Identity Management
Time and attendance solutions have evolved from punch cards to cost-effective and more accurate cloud-based biometric systems.

Scalable access solution
Access & Identity Management Handbook 2020 , Access Control & Identity Management, Integrated Solutions
Bosch Building Technologies makes access management simple, scalable and always available with Access Management System 2.0.