Role-based access control (RBAC) is
|“||[a]ccess control based on user roles (i.e., a collection of access authorizations a user receives based on an explicit or implicit assumption of a given role).||”|
"Role permissions may be inherited through a role hierarchy and typically reflect the permissions needed to perform defined functions within an organization. A given role may apply to a single individual or to several individuals."
RBAC offers administrative efficiency and the capability to intuitively administer and enforce a wide range of access control policies.
In RBAC, permissions are associated with roles and roles are assigned to users in order to grant user permissions corresponding to those roles. The implementation of this basic concept greatly simplifies access control management. Roles are centrally created for the various job functions in an organization, and users are assigned roles based on criteria such as their positions and job responsibilities. Users can be easily reassigned roles. Roles can be granted new permissions as new applications and systems are incorporated, and permissions can be revoked from roles as needed. For example, if a user moves to a new function within the organization, the user can be assigned to the new role and removed from the old one with associated privileges updated automatically. In the absence of RBAC, the user’s old privileges would have to be individually identified and revoked, and new privileges would have to be granted.
Although RBAC represents a clear improvement over simple table lookup models of the access control matrix (data structures such as access control lists), the RBAC model does not solve all access control and privilege management problems. Discovering and defining roles and mapping roles to enterprise resources and applications, commonly referred to as role engineering, are costly and difficult.
Ultimately, access control should be redefined and re-engineered from the ground up to reflect the increasing scale and complexity of networks and systems of systems. The goal should be a redefinition that preserves access control advancements while providing a generalized context to accommodate well-known and ad hoc access control policies, is easy to deploy and manage, and is safe in its configuration.
- ↑ Cybersecurity A Primer for State Utility Regulators, App. B.
- ↑ Id.