Skip Links

Expert advice on implementing role-based access control (RBAC)

IT Best Practices Alert By Linda Musthaler, Network World
March 16, 2012 01:59 PM ET
Linda Musthaler
Sign up for this newsletter now!

The CIO-level business angle on the latest tech

Is your company thinking about implementing role-based access control? When RBAC is done right it can improve enterprise security, reduce employee downtime and improve the efficiency of resource provisioning and access control policy administration. However, an endeavor of this nature can be complex and, unfortunately, as many as 70% of the attempted projects don't meet their goals.

Understanding the paths to success and potential points of failure are essential. Our friends at Wisegate, the social networking site for information security and IT executives, have a few pointers to share on this topic. Wisegate has just published its latest report, "Role Based Access Control: How-to Tips and Lessons Learned from IT Peers." The report is available for free download here.

TREND: Identity management in the cloud emerges as hot-button issue for CIOs

Wisegate recently assembled the members of its Identity Access and Management micro-community for an RBAC-themed sharing session. The discussion was led by Wisegate member Tom Malta, who is a senior technology risk executive in the financial services industry. Malta has extensive experience with implementing RBAC at several large financial firms. In addition to sharing his expertise, Malta also leads the LinkedIn group called the Role Based Access Control Executive Forum.

The report is a good primer for those who are just learning RBAC principles, such as role inheritance. The report provides examples on how to set up basic roles and assign assets to those roles, and how to create parent/child relationships and reuse roles and assets. It further provides examples of business role models and polyarchy, which is the collection of roles an individual holds across different hierarchies or relationships. Some of the common business role models include: organization based roles, people-to-people based roles, and approval based roles.

Within the group discussion, Malta brought out the "top 10" questions he gets asked by people working on RBAC projects. This is the most valuable portion of the Wisegate report, as an experienced practitioner answers questions such as:

• When should we introduce RBAC into our access management program?

• How do we get started? What is the simplest way to start our project?

• What comes first, role mining or role management?

• Should the creation of roles and their associated management be centralized or decentralized?

• How often should we validate the contents of roles and what it enables?

• How many roles should we deploy?

Malta further shares his expertise with his advice on the high-level functional requirements to look for in a role management system, regardless of whether it is being built in-house or purchased off the shelf.

The Wisegate report offers a few tips and best practice considerations for RBAC projects:

• Build in RBAC when your identity and access management (IAM) program is mature.

• Utilize role mining before you try to do role management. Invest and spend some time in the role mining space to understand what you are currently doing today.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News