RBAC: Role-Based Access Control Explained!

In an IT context, the term role-based access control stands for an efficient method of managing access rights in organizations. With RBAC, sets of privileges are combined into permission roles, which can then be assigned to users to give them multiple permissions in one go, rather than assigning each permission individually. A role essentially is a selection of privileges associated with a particular job (e.g. sales, customer service) or other attributes (location, department).

Users are not limited to one role. In fact, users are usually given multiple roles to adequately reflect the varying attributes that describe their exact place within the organizational structure. For example:

The opposite of RBAC is known as Discretionary Access Control (DAC), which is when permissions are assigned to users individually. While this approach is sufficient enough for smaller organizations with only a few users, it will inevitably lead to problems as the organization grows and the number of users increases. The reason for this is that DAC forces admins to spend a disproportionate amount of time and effort customizing user accounts.

Since admins, too, are only human, manual access management for each user inevitably leads to mistakes. It can be as simple as an admin skipping a step in the workflow or HR not informing IT of a transfer. Errors like these result in orphaned accounts and a gradual build-up of excess permissions known as privilege creep, both of which pose a major risk in terms of cybersecurity.

Bundling access rights within applications is a common IT practice, as it allows you to set different levels of authorization inside a specific program. Let’s say that all members of the finance department are given a particular set of rights in the accounting program, including the ability to input invoices. However, since we don’t want every Tom, Dick and Harriette to be able to approve larger sums of money, that particular level of authorization is given only to persons with a higher rank. Whenever a new person joins the finance team, they are assigned the appropriate level of authorization for the software.

Unfortunately, bundling access rights on the application level does not actually put an end to the time-consuming manual work admins have to carry out. The reason being that in modern digital infrastructures, users don’t just use a single app or service, they use dozens. So even if you create appropriate permission bundles within each application, administrators still have to go through all of these services one by one to assign the right role whenever they create or edit a user.

What you really need to simplify this process is a centralized platform where all those permissions from different apps and systems run together. And that’s precisely where Identity Access Management (IAM) comes into play.

IAM solutions take the basic concept of roles to the next level by allowing you to manage permissions across all systems through one automated platform. So, when an admin links a new user to a role, the IAM solution makes sure that user receives all intended permissions in every connected system.

Your IAM product is able to do this because it is equipped with the interfaces and plugins needed to connect to your Active Directory, file servers, Exchange & SharePoint, cloud platforms such as MS 365 and Azure AD, as well as business applications like SAP. Now, imagine you had to handle user privileges for all those systems manually – you’d never see the light of day, make lots of mistakes as you struggle along, and those mistakes would inevitably put your data at great risk and lead to catastrophic cybersecurity issues.

Role-based access control, on the other hand, automates user and rights management, which ensures users only ever have access to resources they really need to do their jobs. This approach is also known as the principle of least privilege, or POLP. Not only does POLP mark a cornerstone of IT security, it is also an explicit requirement dictated by an increasing number of legal standards (HIPAA, SOX).

There are a number of terms associated with role-based access control that are worth explaining at this point.

Business role: while a role represents the exact job/position and/or responsibility of an employee within an organization, the term business role, though similar, is mostly used to describe the sum total of privileges required by a specific job within the organization. And still, such terms may vary from one organization to the next. tenfold, for example, uses the term profiles instead of business roles to describe privilege bundles.

And, while roles represent collections of privileges, groups are used to combine several users or objects into one unit. It is important to be aware that roles and groups have different purposes, but that user groups are of relevance when it comes to implementing your role-based system. Get it?

Microsoft’s recommended approach for implementing role-based access control, AGDLP, for example, is based around memberships in nested groups, which are used to transfer user rights to different domains. IAM solutions set up the necessary structures automatically, meaning admins no longer have to bother with that kind of stuff and can now enjoy 12 cups of coffee a day instead of their usual 8.

The specific advantages RBAC will bring to your company depends on the current approach you are using and planning to replace. Apart from role-based access control, there are numerous other automated and rule-based concepts for controlling and assigning privileges available. Click here to jump straight to our comparison.

For most businesses, the central question is simply: do the benefits of switching to a role-based model trump the comfort of sticking to the familiar system of manual access management? Do you really need an answer to that? (Yes!! It’s yes.)

The long answer is: any form of reorganization of grown structures within companies that demands that people rethink and relearn (or unlearn) the methods they are used to comes at a certain price – not just in terms of money, but also in terms of time and effort. We’d be lying if we claimed that converting to a role-based access model was any different. But for companies who are already struggling to stay in control of rising user numbers, complex IT structures and increasingly demanding data protection laws, the switch will most definitely be worthwhile.

Read on to learn more about the strengths and benefits of RBAC.

Once your role-based access control system is up and running, you will immediately notice a reduction in the administrative workload. With RBAC, the entire user provisioning process is automated, so the need to assign privileges and resources manually is over. All admins have to do is assign users their applicable role(s), then your role-based system takes care of the rest in the background.

RBAC not only makes it easier to provide users their initial set of privileges when they join the team, it’s also a great time-saver for making subsequent changes. Assume a user is promoted or switches to another department – with RBAC, the admin simply assigns them their new role and your RBAC system automatically assigns the associated privileges and removes any privileges that are no longer needed. Role-based access control allows you to control user lifecycles, from start to finish, automatically.

Automated provisioning does not only make admin life easier, it also significantly ups the level of cybersecurity in your organization. After all, if you’re tasked with managing hundreds of user accounts and associated privileges manually, you are inevitably going to make mistakes: an overlooked extra privilege here, an outdated user account there, and whoosh: you got yourself in trouble. Such obsolete accounts that quietly sit and wait to be abused by hackers or to become gateways for malware attacks pose an enormous threat.

The 2021 attack on America’s largest fuel pipeline, Colonial Pipeline, which caused a weeklong fuel shortage among gas stations across the entire U.S. East Coast, is a prominent example of such an attack. The perpetrators used an old VPN account that was no longer in use, but still active, to access the company’s computer network. The account was not even protected by multi-factor authentication, which made it extra easy for the cybercriminals to inject ransomware into the system and extort a ransom payment of 4 million US dollars.

Had the enterprise employed an IAM solution and role system, the slumbering VPN connection would have been noticed sooner and immediately killed. The attack never would have happened.

If, despite all measures, an attacker does manage to penetrate the company network, RBAC can help to minimize the damage of the attack. Automated provisioning and access right management ensures that users can only access systems and data they need to do their jobs.

So, even if a hacker gets hold of an account, this point of access will only take him as far as the privileges the account has and the resources it has access to. He cannot use the hijacked account to damage anything the account does not have access to. So therefore, be sure to assign privileges as sparingly as possible to prevent misuse (remember – least privilege!).

One of the greatest advantages of sticking to this security strategy is that it blocks attacks both from the outside and from the inside. Unfortunately, many businesses today still fail to recognize the danger that lurks within, even though employee data theft has become a real biggie in the world of cyberattacks! In fact, Verizon’s 2021 Data Breach Investigations Report found that insiders are responsible for 22% of security incidents!

From an enterprise standpoint, it obviously makes sense to keep your data and systems sufficiently protected against all forms of attacks. But in the past decade or so, the subject of data protection has also become a political issue. In fact, it feels as though new laws dictating even stricter and even more complicated data protection standards are popping up left and right every day.

They range from regulations for specific industries (e.g. HIPAA in the healthcare sector) to various national and international standards such as the GDPR. Not to mention legislature on the state level, such as the California Consumer Privacy Act or different cybersecurity safe harbor laws. Meeting these intricate compliance requirements is a huge challenge in itself, but proving that you have met all requirements is sometimes even more difficult.

For instance, how do you verify that User X did not, at any time, have access to data they were not authorized to have access to? Exactly.

Once you’ve automated the various access management processes in your company, compliance audits will immediately become less daunting because, thanks to the sharp reporting tools you’ll have working for you in the background, all the historical logs and info required for audits and whatnot are at hand whenever you need them.

The idea of role-based access control is founded on the assumption that the areas of responsibility within organizations and departments are strictly separated, without any overlaps. The assumption is that developers only need access to development resources, the support team only needs access to customer data and open complaints, accounting only needs budget plans, and so on. This view provides a useful baseline for IT permissions, but file access and employee responsibilities are a lot more complex in real life.

Example: Your head of support, Mel, needs access to the developer roadmap so she knows the bigger picture and can coordinate communications in case any bugs pop up. So, what is the best way to grant her access?

At first glance, the solution would be to create an entirely new role for Mel and her specific need. But what do you do once more and more special requests come flying in? Let’s say Mark from HR needs access to the design app to modify this year’s Christmas card, and copywriter Sue’s been asked to proofread the company’s software manual, for which she needs access to some resources in the developer department.

The solution cannot be to set up a new role for every special right you want to distribute. No, your ideal solution is an access management tool that assigns and controls default rights on the basis of roles, but allows you to extend and modify your RBAC model as you go. And that is precisely what tenfold does: it assigns default rights automatically on the basis of roles, but also allows users to request additional rights using the built-in self-service portal.

These permission requests are then forwarded to the designated person(s) in charge and they can decide whether the requests shall be granted or declined. tenfold further makes sure decision-makers are regularly prompted to review these special rights to determine whether they are still needed or should be removed.

To properly employ RBAC, you must first define the applicable roles which the IAM system can use as a policy for user provisioning and for making any subsequent changes. Many businesses, especially ones who haven’t yet dabbled in the world of user and access management, often perceive this part as a major hurdle – when, in fact, it’s not half as scary as you might think.

The quickest way to design a role model yourself is to start with the most common rights and work your way from there toward more restricted rights. A step-by-step process to defining roles and creating an access control policy might look something like this:

The simplest and most straight-forward way to determine what roles are applicable to your company is to examine the current access structure, i.e. permissions that are currently assigned and in use. From these you can derive which permissions are default permissions (i.e. everyone has them) or special permissions (not everyone has/needs them).

This process is referred to as role mining. It’s what your IAM solution does first thing once connected. tenfold, for instance, comes with a built-in role assistant who is there to help you pick out rights during the initial setup, but also to help with changes you want to make later on down the road. Role-mining is a good way of establishing the role model for your company.

Attribute-based access control (ABAC) is another method of managing access rights. Instead of roles, ABAC uses attributes as the basis for managing access to resources. ABAC takes into account different parameters that reflect the context of different access requests. Such categories of attributes under ABAC include:

The main strength of ABAC is that it offers more granular control. Equipped with a portfolio of security rules, businesses can not only determine who should be granted access to what IT resources, but also specify detailed exceptions and restrictions. It’s a highly flexible concept.

The downside is that this level of flexibility comes at a cost: designing the necessary policies in such detail requires money, time and know-how. Lots of money. Lots of time. And a lot of expertise. Only once you’ve established an applicable and usually complex set of rules will your ABAC system be able to provide the level of flexibility and precision you’re looking for.

ABAC is considered by some to be the shining successor of RBAC – but let’s hold our horses there for a minute before we join that party. While attribute-based access control does offer a great many extra options for tweaking rights when compared to a role-based approach, it in turn comes at a far higher cost, both in terms of money you’ll have to invest to get your engine up and running, plus the heavy and complex administrative workload you will be facing on top.

So think carefully before you go for an ABAC model. Whether it’s worth your time and money really depends on the size and structure of your business: An attribute-based access control policy is best suited to businesses with over 10,000 users.

For mid–size organizations with up to 5,000 IT users, RBAC is by far the better and more productive option because it’s easier, quicker and – you’ll love this one! – cheaper to implement. You’ll have your processes automated in no time. Just make sure the IAM solution you pick allows a certain degree of flexibility when it comes to assigning special rights.

IAM solutions are designed to offer three core benefits: a greatly reduced administrative workload, improved cybersecurity and better compliance. Some products might try to wow you with endless feature lists and needlessly complex access control models. But the simple truth is that for most organizations, the easy implementation of RBAC makes it the sensible choice.

The IAM solution tenfold combines the advantages of RBAC with flexible, custom permissions. Users can request extra rights as needed through a self-service platform and these requests are then forwarded to the responsible data owner(s) who can approve or decline them directly, without any diversions through IT. This significantly helps to reduce helpdesk times. At the same time, tenfold keeps track of all assigned permissions. With its import feature and role-mining assistant, tenfold can be put into operation very quickly.

Start your free trial now and see for yourself how effortless yet efficient managing access rights and users can be – with tenfold: Simple. Secure. Ready to go.