Role-Based Access Control: Some Best Practices

-

Role-Based Access Control (RBAC) is an aspect of identity and access management whereby resource access is granted to users based on their role in organizations. Implemented properly, it can help organizations ensure data security and adhere to data privacy guidelines. Listed here are some RBAC best practices.



1. Build an RBAC Strategy

Creating a plan starts with an evaluation of where you are (data, method, policy, systems), determines your ideal future state (automated RBAC-enabled access provisioning for a collection of apps and systems), and identifies the critical gaps that need to be addressed (data quality, process problems, various system-to-system authentication/authorization models). Identifying the challenges upfront makes it easier to fix them head-on before the implementation starts.

2. Establish a Framework for Governance

Organizations preparing for RBAC need to make decisions on project goals, set expectations, manage and support implementation, set performance metrics, and manage risk. To identify data and process problems and prioritize remediation efforts, the governance board should link up with the HR function. 

3. Assign a User Lifecycle Owner

When HR goals do not fit with the priorities of IT, organizations will find themselves at loggerheads. When these misalignments arise, decisions that are in the best interests of the company as a whole need to be taken by a person (or individuals) who can serve as an escalation point. Note that both the HR and RBAC governance boards should have the participation of the User Lifecycle Owner. 

4. Role Management

Determine who will own the technical roles and the business roles (e.g., application owner). An established set of protocols and policies needs to be in place about how positions are re-evaluated, whether and when they expire, and who retains them. 

5. Start with a Top-Down Role Analysis

Discussions with business managers should be conducted during the RBAC design process in advance of building technical roles in order to record the functional access of staff and verify that each user in the position has the same core access. At this point, it is important to clean up any unnecessary exceptions that will allow the role mining tool to scrutinize access to identify candidate roles. 

6. Perform a Bottom-Up Role Analysis

Via role mining and analysis, technical roles are established and are a "bottom-up" operation, meaning that the tool collects and analyses existing data to decide the technical roles for a group of users.

Technical Roles are sets of permissions that enable business value to be provided by the implementation of a specific business feature. The best results ultimately come from working with business stakeholders to design a collection of business roles and then reconciling them with the access scenario exposed by role mining in order to understand what access has been missed or is not needed.

7. Get Started With a Pilot 

In order to reduce implementation risk, produce a quick win, and demonstrate the efficacy of the RBAC model, we suggest choosing a small department or business feature as a beta project. 

Conclusion

Business roles reflect the organization's business activities or work profiles, and they are not unique to one IT structure but are an enterprise-wide concept. One or more business roles are allocated to a worker, and these business roles are, in turn, connected to technical roles that represent all of the IT systems required by that specific job function. Organizations must hold their focus at the enterprise level and look at the larger picture in order to understand the potential of the RBAC system.


Comments

Post a Comment

Popular posts from this blog

The Most Prominent Emerging Cybersecurity Threats

-
Image
  Because of the   COVID-19 pandemic , organizations around the globe were forced to implement a work-from-anywhere scheme. With staff accessing cloud resources, collaborative tools, and remote systems from home and public networks, and not only via the privacy of a VPN, this has become the new way of doing business. This rapid transition brings a host of safety issues for businesses. Some of the most prominent cybersecurity threats are outlined here. 1. Evolving Traditional Cybersecurity Threats  Cyber threats such as phishing, malware, trojans, and botnets will remain prominent; it seems obvious. Such attacks, mostly mined from company websites and social networks, are increasingly automated and customized to personal information. These kinds of hazards will continue to increase in number and frequency as movements towards automation increase. These risks may be influenced by current events as well. During the pandemic, we saw a surge in phishing emails, taking advantage of the unfam
Read more

PeopleSoft SSO: Improving Employee Experience

-
Image
Employees manage various logins, including emails, financials, CRM software, and other programs and systems built during a regular workday to simplify their daily activities. Remembering and recalling all the usernames and passwords associated with such systems can be daunting and contribute to a loss of productivity. Single Sign-On (SSO) is an Identity and Access Management (IAM) method that enables users to authenticate securely with different websites and applications, by signing in only once — with only one set of credentials. The app or website (which the user is attempting to access) relies on a trusted third party with a Single Sign-On solution to authenticate the users' identity. Why is SSO important today for Human Resource Organizations? 1. SSO Makes the HR System User-Friendly and Easy to Use SSO's greatest benefit is that users can switch between applications safely without having to specify their credentials time and again. SSO effectively incorporates individual s
Read more

Improve Security Posture With The Zero-Trust Security Model

-
Image
  There has been a sea change in how employees connect to and interact with the enterprise resources to get things done. The conventional network security model was programmed to connect staff to the data center's services they required. There were very few remote workers at the time and using an operationally complex VPN, they linked back to their home network. With the dramatic, unpredictable changes brought about by the pandemic, most workers now work remotely, and almost all businesses today use multiple public cloud services. Coupled with the security flaws associated with VPNs, these factors mean that the conventional model is no longer reliable. The Zero-Trust Security Model A critical weakness in the usage of remote access VPNs is that once users are authenticated, they are considered trustworthy and given complete access. As a consequence, once a hacker reaches the firewalls of an organization, with little resistance, if any, he/she can travel around the network. John Kind
Read more