Authored by: Bhavdip Rathod, Director, Identity and Access Management

A role is a collection of permissions, and users receive permissions through the roles they have been assigned. Role Based Access Control is an approach that uses the job functions performed by individual users within the organization to determine their appropriate access levels.

One of the main goals of RBAC is to ensure employees are only granted the necessary level of access to perform their job. A well-designed RBAC system also simplifies and streamlines the administration of access by grouping sets of access in a logical and intuitive way (i.e. via department, job function, job title, region, or manager level). Grouping common access permissions into roles provides a secure and efficient way to manage access, while simplifying the process for both administrators and users.

How RBAC Can Benefit You and Your Company

If implemented efficiently, an RBAC implementation and associated process redesign has many benefits for both your team and the entire organization.

While highly beneficial, implementing RBAC in an enterprise can be a major and daunting task.

Most Common Reasons Why Many RBAC Programs Fail in the Field

  • Lack of executive sponsorship and funding
  • Not involving business users during the process of defining roles
  • Insufficient communication of RBAC project value
  • Poor design of roles
  • Failure to enforce Principle of Least Privileges
  • Lack of extensibility and flexibility of role models – Role models must be adaptable to business changes

RBAC Implementation Best Practices and Tips

Take a sensible approach. Think of RBAC as an ongoing program, not a project. Don’t expect to achieve immediate 100% coverage of all access via RBAC.  A comprehensive RBAC solution could take months or even years to complete. It is realistic and acceptable to implement RBAC in steps or phases.

Do an in-depth exercise to clean up bad data and entitlements. Do this exercise as pre-requisite before creating and defining roles for the RBAC program. Clean data is a major ingredient of the recipe for a successful RBAC program implementation.

Start simple and familiar.  Target roles for areas that are more familiar in the business This lets you eliminate the “discovery” portion where you must try to determine what access might be needed.

Target areas of high turn-over. Identify the business areas where provisioning and deprovisioning processes are already established. These areas are usually very well understood from an access perspective.

Start small.  Don’t try and create and assign all roles across the entire organization in one go.

Wait until your overall IAM program is mature. Don’t rush. Implementing RBAC too early in your overall Identity and Access Management (IAM) program leads to a higher failure rate. RBAC does not necessarily require an IAM system. However, RBAC can be implemented much more easily and efficiently if the IAM system is in place.

Assign a role owner to represent each area from the business side. Identify the people who possess the best “insider knowledge” about their departments and assign them as role owners.

Prepare a team. Hire experienced business analysts and role engineers who have in-depth experience of interviewing business owners and IT staff to gather detailed RBAC requirements from each area of business involved in the RBAC program. Skilled role analysts/engineers can efficiently bridge the gap between business-focused managers and technically-savvy IT staff.

Make roles reusable. If only one person in the whole organization has a particular role, maybe that access shouldn’t be managed via RBAC. Make sure the roles that you define are applicable to groups of people; otherwise, your role model will be unwieldy and will not deliver the goals of efficiency and simplification

Decide and utilize appropriate role mining techniques based on your requirements. Select a top-down or bottom-up role mining approach for your RBAC program. A bottom-up approach provides more granularity in terms of identifying the common accesses between users and roles. Most of the identity and access management products provide some sort of role mining capabilities—utilize those. It has been proven that a hybrid approach of bottom-up and top-down role mining techniques usually yields the best results in an enterprise environment.

Enforce least privilege. Define roles so that people are not granted unnecessary access. Setting up roles based upon least privilege is a best practice for reducing security risks, including those stemming from both malicious intent and from user errors.

Test and verify your roles. Roles require testing and verificationa. If at the outset you define roles sub-optimally and place them into production, you can end up with a lot of users who have too little or too much access. A major cleanup effort may be required if you roll out a role structure that has not been properly set up or tested.

Roles aren’t a one-time thing.  Roles should change with the business, and they should be revisited periodically to verify their continued relevancy and accuracy. Consider establishing role recertification processes to keep them up-to-date with business changes.

Understanding best practices and adapting to them early on in an RBAC project can be a game changer. An efficient and successful RBAC program will significantly reduce IT service and administration costs and greatly improve an organization’s overall security posture. A successful RBAC program can reduce or even eliminate  “insider threat” related cybersecurity exposure points, a critical measure for any organization looking to strengthen its cybersecurity infrastructure.