Identity access and management (IAM) is an integral part of a security strategy in the modern enterprise. By ensuring only the right people can access specific systems and data, IAM helps limit your organization’s exposure and reduce risk. Many IAM systems use a method called role-based access control (RBAC) to assign permissions for who can do what within specific IT resources like applications, depending on the organization’s structure and the users’ responsibilities.

Also referred to as role-based security, RBAC can restrict actions based on criteria such as department or business unit, position, and authority level. If your business deals with personal identifiable information (PII) such as customer records, financial transactions, or intellectual property, it’s important to understand what is RBAC and how you can use it to improve security.

What is RBAC and how does it work?

RBAC allows you to create and enforce advanced access by assigning a set of permissions. The permissions are based on what level of access specific user categories require to perform their duties. In other words, different people in your company can have completely different levels and types of access privileges based solely on factors such as their job function and responsibilities.

For example, Human Resources employees could view employee records but not customer data. And an HR manager could delete or change HR records while a lower-level HR specialist would only be able to view them.

The U.S. National Institutes of Standards and Technology (NIST) introduced the RBAC approach as a better alternative to discretionary access control (DAC). With RBAC, you assign each user one or more roles and then assign privileges that are allowed for those roles. Users can be employees, contractors, business partners, and so on, with each role within those categories having predefined permissions. When an individual’s responsibilities or functions change—for example, due to a promotion or department transfer—that person is assigned to the new role in the RBAC system.

What is an RBAC role?

Within the RBAC framework, a role is a semantic construct that you use for building permissions. A role could be defined by any number of criteria including authority, responsibilities, cost center, and business unit.

The role, essentially, refers to the collection of user permissions. This is different from the traditional groups, which are a collection of users. In the context of RBAC, permissions are tied to roles rather than being directly connected to identities.

Roles are more stable than groups because roles are organized around access management, and in a typical organization, functions and activities don’t change as frequently as identities do.

What are the benefits of RBAC for organizations?

One of the biggest advantages of RBAC is the systematic approach it provides for defining and maintaining roles—enabling you to consistently grant access based only on what users need and consequently reducing your risk of data breaches or data loss.

But RBAC has a variety of other benefits, including:

  • Accelerating onboarding by automatically assigning access to new employees based on HR attributes
  • Streamlining IT admin work—for example, by enabling a quick reassignment of permissions at a global level, across multiple platforms and applications
  • Improving compliance with regulations such as European Union’s General Data Protection Rule (GDPR) or the U.S. Health Insurance Portability and Accountability Act (HIPAA)
  • Reducing third-party risk by giving external users such as vendors and business partners predefined roles
  • Maintaining the best practice of “least privilege” by automatically updating access permissions when roles change
  • Decreasing the costs of advanced access control, especially in large, complex environments

What is the RBAC standard?

Implementing RBAC can be complex because developing the RBAC structure (known as “role engineering”) entails numerous components and steps. To help organizations in this process, NIST proposed unified RBAC standards.

In 2004, the International Committee for Information Technology Standards (INCITS), a U.S. agency that develops information and communications technology standards, adopted NIST’s proposed standards. INCITS published a revised version of the RBAC standards in 2012.

Additionally, some industry groups and other entities have further developed standards for specialized domains. For example, Health Level Seven (HL7), an international standards development organization for healthcare, has its own guidelines for role-based engineering.

The four RBAC models

The NIST standard includes four RBAC models:

  • Core RBAC:  The basic model has three elements: users, roles, and permissions. The model design is based on the “many-to-many” principle, meaning that more than one user can have the same role and one user can have multiple roles. Likewise, you can assign the same permission to multiple roles and assign the same role to multiple permissions.
  • Hierarchical RBAC: Adds a fourth component, hierarchy, which defines seniority relations between the various roles. By enabling senior roles to automatically acquire the permissions of the junior roles, you eliminate redundancies such as having to specify certain permissions when roles overlap.
  • Static separation of duty (SSD) relations: To help in situations when you have conflict of interest policies, relations among roles are added based on user assignments. For example, a user who is a member of one role would not be able to be assigned membership to a role that has a conflict of interest.
  • Dynamic separation of duty (DSD) relations: Like SSD, DSD limits available user permissions but is based on a different context. For example, a user may require a different level of access based on the task performed during the session, and DSD restricts the permissions that are activated during that session.

Implementing RBAC

Before you implement role-based controls in your organization, it’s important to go through some foundational steps. Consider starting with activities such as:

  • Identifying your business needs—this includes understanding the different job functions across your organization and the processes and technologies that support those functions.
  • Understanding the scope—to minimize disruptions during the transition, plan on starting with critical systems first and then growing over time to all systems.
  • Creating and defining the roles—once you understand the needs and how people in different job functions perform their daily activities and tasks, you can create a list of permissions these groups of users need.
  • Developing a rollout timeline—will give stakeholders time to prepare and minimize disruptions.
  • Writing a policy—documenting how changes are made provides transparency, clarifies your process, and helps avoid potential issues.

Best practices for implementation

To ensure a successful implementation, consider these best practices:

  • Implement RBAC in phases. In addition to reducing disruptions, a phased integration helps you manage the workload and troubleshoot problems. One way to phase in the plan is by starting with high-level controls and then adding granularity during the next stage. You can also start with a core group of users and work out any bugs before rolling out to a wider base.
  • Review and adapt. Most likely, your RBAC infrastructure will need some adjustments. Audit and evaluate access and permissions and refine your controls periodically. Make sure to evaluate not only processes but also the security of those processes.
  • Provide education. To ensure stakeholder buy-in before adoption, educate employees and other users about the importance of RBAC to your organization. People don’t like change and helping them understand why you’re implementing RBAC will accelerate their acceptance of the new process and policies. Include everyone in these conversations—from top leadership, down to rank-and-file employees. 

Final thoughts

Using RBAC significantly increases your ability to manage access, not only boosting security and improving compliance but also adding efficiencies to your IT operations. If you have an IAM strategy or are considering one, roles will reduce repetitive tasks and manual processes.

A leader in identity security, SailPoint can help you implement and manage your role-based access control project effectively. For example, SailPoint Access Modeling uses patented machine learning to provide guidance on refining and maintaining roles. Using the right automation tools for your RBAC program will help you overcome the complexities and scale of access.

Take control of your cloud platform.

Learn more about SailPoint Access Modeling.

Get Started Today