This article can also be found in the Premium Editorial Download "Information Security magazine: Nine tips to guarding your intellectual property."
Download it now to read this article plus other related content.
Groups are Just a Start
Most people in the industry incorrectly equate RBAC with only creating individual roles or groups and assigning users to those containers. Assign the necessary entitlements and permissions to the containers, and you have an access control model that is easier to manage, better for enforcing least privilege, and more scalable compared to user identity-based access control.
True, the use of groups allows organizations to better assign privileges, monitor how data is accessed, and meet statutory and regulatory requirements pertaining to privacy and confidentiality.
However, constructing effective roles and policies is labor intensive and complex. Managing static access rights through access control lists (ACLs) quickly gets overwhelming and does not provide enough flexibility in our dynamic environments.
Groups and ACLs are a step in the right direction, but they are not powerful enough tools to provide the type of detailed, dynamic control that companies require for the extended enterprise in a Web-based world.
The RBAC model is much more complex than just using groups and ACLs and allows for granular security context- and content-based access decisions.
A more robust implementation of RBAC will be essential to meet security and business needs as they become more entwined with each other. Managing thousands or millions of accounts securely requires automated applications that can interoperate easily. This would
This was first published in May 2007