Role based access control and best implementation practices

by Bhavdip Rathod, IAM Solution Architect, Sailpoint Technologies, Inc

A role is a collection of permissions, and users receive permissions through the roles they have been assigned. Role Based Access Control is an approach that uses the job functions played by individual users within the organization to determine what access they should have.

One of the main goals of RBAC is to grant employees only the access they need to do their jobs and to prevent them from having access that is not relevant to them. A well-designed RBAC system also simplifies and streamlines the administration of access, by grouping sets of access in a logical and intuitive way, based on things like department, job function or title, region, or manager level. Grouping common access permissions into roles provide a secure and efficient way of managing access and help keep things simple for administrators the users requesting access.

Why RBAC is important to you and your company?

An RBAC implementation and associated process redesign have many benefits for the organization and your team if done implemented efficiently:

Implementation of RBAC in an enterprise can be a major and daunting task.

Most common reasons why many RBAC programs in the field fail:

• Lack of executive sponsorship and funding
• Not involving business users during the role mining activities
• Insufficient communication of RBAC project value
• Poor design of roles
• Failure to establish a Principle of Least Privileges
• Lack of extensibility and flexibility of role models – Role models must be adaptable to business changes

Best RBAC implementation Practices and Tips

Take a sensible approach. Think of RBAC as an ongoing program, not a project. Don’t expect to achieve 100% coverage of all access via RBAC as you implement it. A comprehensive RBAC solution could take months or even years to complete. It is realistic and acceptable to implement RBAC in steps or phases.

Do an in-depth exercise to clean up bad data and entitlements. Do this exercise as pre-requisite before creating and defining roles for the RBAC program. Much cleaner data is one of the prime recipes of the successful RBAC program implementation.

Start simple and familiar.  Target roles for areas that are more familiar in the business.  This way you eliminate the “discovery” portion of trying to figure out what access might be needed.

Target areas of high turn-over. Identify the business areas where provisioning and de-provisioning processes are already established. These areas are usually very well understood from an access perspective.

Start small.  Don’t try and do all roles across the entire organization in one go.  That will fail.

Wait until your overall IAM program is mature. Don’t rush. Implementing RBAC program too early in your overall IAM program leads to a higher failure rate. RBAC does not necessarily require an IAM system. But RBAC can be implemented much easier and efficiently if the Identity and Access Management (IAM) system in place.

Assign role owner to represent each area from the business side. Identify the people who have the best insider knowledge about their departments as role owners.

Prepare a team. Hire experienced business analysts and role engineers who have in-depth experience of interviewing business owners and IT staff to gather detailed RBAC requirements from each area of business involved in RBAC program. Skilled role analysts/engineers can efficiently bridge the gap between business focused managers and IT technically-savvy IT, staff.

Make roles reusable. If only one person in the whole organization has some particular role, maybe that access shouldn’t be managed via RBAC. Make sure the roles you define are applicable to groups of people; otherwise, your role model will be unwieldy and will not deliver the goals of efficiency and simplification

Decide and utilize appropriate role mining techniques based on your requirements. Select top-down or bottom-up role mining approach for your RBAC program to create and define roles. The bottom-up approach provides more granularity in terms of identifying the common accesses between users to define roles. Most of the identity and access management products provide some sort of role mining capabilities. Utilize those. It has been proven that a hybrid approach of bottom-up and top-down role mining techniques usually gives the best results in an enterprise environment.

Enforce the least privilege. Define roles so that you don’t give people access they don’t need. Setting up roles for the least privilege is a best practice for reducing security risk, both from malicious intent and from user errors.

Test and verify your roles. Roles need as much testing and verification as other functionality – may be more. If you define roles sub-optimally at the outset and put them into production, you can end up with a lot of users who lack the access they need or who have more access than they should. There can be a big cleanup effort if you roll out a role structure that has not been set up and tested properly.

Roles aren’t a one-time thing.  They need to change with the business and you’ll need to revisit them periodically to make sure to verify that they continue to be relevant and that the appropriate users are grouped under their most suitable roles. Plan to establish proper role maintenance processes. Consider establishing role recertification processes to keep them up to date with business changes.

Conclusion

Based on my experiences working on successful RBAC implementations over the years for various organizations across the different industries, understanding and adapting above best practices early in the RBAC projects can be the game changer for any RBAC programs’ success and gives full ROI to the companies. Efficient and successful RBAC program will significantly reduce IT service and administration costs and at the same time greatly increase the organization’s overall security posture. A successful RBAC program can eliminate many “insider threat” related cyber security exposure points within the organization and hence this program’s success is very critical for any organization who looks to strengthen their Cyber Security infrastructure.

About the Author

Bhavdip Rathod is an Identity and Access Management Solution Architect at Sailpoint Technologies, Inc. Bhavdip is an experienced cyber security technologist and architect with a specialization in Identity and Access Management (IAM). He is primarily responsible for providing innovative solutions to the companies in the field for their most complex challenges in the Identity and Management area to strengthen their security infrastructure and prevent potential cyber and data breaches.  He has a strong understanding and in-depth experience of Identity and Access Management (IAM) Frameworks and industry best practices. Bhavdip had served as an SME and Expert Advisor on the largest and most complex IAM Implementations for various retail, financial, healthcare and manufacturing organizations in the last 10 years. Bhavdip serves as an IAM Expert Advisor and speaker at various IAM user groups and conference events. Bhavdip holds a Master of Science degree with Commendation from University of Hertfordshire, United Kingdom (UK).