Many people who are part of a larger organization may not be
familiar with the term of Role Base Access Control (RBAC) or Role Based Security, but it’s
the most popular form of access control. You'll know exactly what I'm talking about in a few sentences.
Why do we need access
control in organization?
Access control of is a means to limit access to individual
based upon their need to perform their duties and their need to access data.
Properly administered Access Control helps organization by:
- Limiting risk of theft as a preventative control to limit access to information
- Discourage and deter access to areas that are out of bounds
- Mitigate damage and reduce liabilities within an organization from having unauthorized individual access information that isn’t in their areas of responsibilities.
Most people are familiar with Role Based Controls but probably didn't know it had a name. Usually
access controls are administered by network administrators or by an administrator that
provides you access to an application. Users are place in hierarchical groups
based upon their role. Similar roles allow similar access to information.
For example and entry level role may only be able to have inquiry
access to information in an applications. As we move up the hierarchy in an organization
a supervisor may be able to inquire, and
change information within an application but a manager may be able to add,
delete, and change information. RBAC is a very practical and common means to manage access control within an organization. One problem occurs when there are not enough roles defined. You may find yourself having access to one system for inquiry purposes and having to change, delete, or add information in another system because of poorly defined roles by your administrator. Other times an organization doesn't have any roles at all and simply managed on the honor system. This can be problematic and negligent too.
So the next time you need access to a new system or if your frustrated with you current access limitations... be sure to mention RBAC to your administrator or supervisor.
For more information about Role Base Access Controls visit
the National Institute of Standards and Technology site at:
SANS Organization also has a very good white paper entitled “Role-base
Access Control” which outlines the most common forms of Access Control: Mandatory
Access Control (MAC), Discretionary Access Control (DAC) and RBAC.
No comments:
Post a Comment