Role Based Access Control
Role-based access control (RBAC) is an approach to managing entitlements, intended to reduce the cost of security administration, ensure that users have only appropriate entitlements and to terminate no-longer-needed entitlements reliably and promptly.
In the context of a single system or application, RBAC means granting privileges directly to roles and attaching users to roles. Users acquire privileges through role membership, rather than directly. Within a single system, roles are sometimes called security groups or user groups.
Single-system RBAC is a time tested and successful strategy, as it allows administrators to group users, group privileges and attach groups of privileges to groups of users, rather than attaching individual privileges to individual users.
Identity management and access governance systems extend RBAC beyond single applications. Roles in an IAM system are sets of entitlements that may span multiple systems and applications. The key element of roles is to replace many technical entitlements with fewer roles that business users can understand. Business users can then a reasonable determination of which users should have which roles. This implicitly specifies which users should have which technical entitlements.
Roles consist of entitlements -- login accounts and security group memberships. Roles are often also nested -- i.e., one role can contain others. Nesting roles can reduce the cost of role administration.
Hitachi ID Identity Manager includes a complete infrastructure for managing user entitlements using role based access control (RBAC).
- Define Roles:
Administrators define roles in Identity Manager as collections of:
- Login accounts on specified target systems.
- Membership in groups on target systems.
- Role Hierarchy:
In addition to entitlements on target systems, roles can include other roles. This allows organizations to define:
- Technical roles, consisting of entitlements on target systems.
- Business roles, consisting of other roles.
- Mandatory and Optional Components:
Roles may contain both mandatory and optional entitlements. Users who are assigned a role will, in general, be assigned all of the mandatory elements in a role. In addition, users who have been assigned a role may request any of its optional components, which will be granted without need for additional approvals.
- Role Assignment:
Users can be assigned zero or more roles:
- Some users can be outside the scope of the RBAC infrastructure.
- Other users can be assigned exactly one role, representing their singular job function.
- Still other users can be assigned multiple roles, representing multiple job functions.
- Manual and Rule-based Assignment:
Roles may be assigned via a request process -- i.e., a requesting user U_q asks that a receiving user U_p be assigned role R_x. Such requests may be subject to policy and human approval before being completed.
Roles can also be assigned automatically, by defining a class of users who should be assigned a given role and associating that class with the role. In this case, both on a batch basis (e.g., nightly), with a throttle mechanism, and as user profiles are altered in a manner that changes their qualification for the user class, roles are automatically assigned or revoked.
- Role-based Change Requests:
Requests to create new user profiles can specify a role -- either instead of or in addition to other entitlements that the new user should be provisioned.
Requests relating to preexisting users can include role changes. Role changes may cause entitlements to be added, removed or left in place.
- Approved Exceptions:
Some users may have a legitimate reason to retain privileges beyond those called for in their assigned roles or may not need all of the privileges in that role. Identity Manager supports users who remain legitimately out of compliance, through approved exceptions to role-based security entitlements.
- Controlled Enforcement:
Users can be flagged for role-based access control (RBAC) enforcement. This means that any entitlements they have in violation of their assigned roles -- either too many or too few -- can be detected and automatically remediated.
- Cascading Changes:
Identity Manager includes an RBAC enforcement engine, which is normally run as batch process every 24 hours. This engine can detect users whose actual security entitlements are out of compliance with the entitlements that their assigned roles predict. This may be because changes were made to their profiles outside of Identity Manager, or because the role's definition has changed.
The RBAC enforcement engine detects non-compliant users and automatically submits workflow change requests to bring users back into compliance.
One of the use cases this supports is cascading role changes: an administrator can change a role's definition and commit the change. On the next automated enforcement run, the RBAC automation engine will automatically submit workflow requests to bring users into compliance with the new role definition. These requests may be auto-approved (depending on organization's policy), which means that they may be applied to target systems immediately.
- Gradual Deployment:
It is impractical to deploy RBAC enforcement to every one of a large population of users, all at once. To avoid this, Identity Manager supports gradual activation of users for RBAC enforcement, allowing time to educate users about the new system and troubleshoot errors in the RBAC model for a few users at a time.
- Role-Aware Access Certification:
Identity Manager supports certification of user entitlements at several levels of granularity:
- Fine-grained entitlements assigned to users -- many checkboxes, based on data pulled directly from target systems.
- Roles assigned to users -- fewer checkboxes, representing groups of privileges.
- Approved exceptions to the privileges predicted for a user by policy, where the policy may be role assignment or a segregation of duties rules.