Role-Based Access Control (RBAC) is an approach to Authorization that permits or denies access to resources based solely on a user’s job title and function. For example, access to a specific network might only be made available to users with ‘administrator’ in their title.
The Advantages of Role Based Access Control
An improvement over Access Control Lists. Role-Based Access Control replaced Access Control Lists (ACL), which were merely a list of permissions for every object. ACLs served their purpose for very small companies, but as enterprises grew, the cost of maintaining and updating the ACL became overwhelming. ABAC solved this problem by basing everything of specific roles - once you no longer had the right role, you lost permissions to a set of resources
Roles are simply defined. Employee access is granted only to the information needed to complete their work. As permissions are simply defined by job function, an Account Manager would be assigned the role of Account Manager and receive the access level granted to those with that assigned role. An Account Director would have access to even more sensitive data, as according to the hierarchy, they hold a higher level of access. Any changes made to roles are applied uniformly across users and when a user changes their position within the company, their permissions are changed accordingly.
Three Common Issues with Role Based Access Control
Too coarse-grained for most modern enterprises. Role Based Access Control has no simple way to temporarily allow a worker to access resources that are “outside” of their given role. Access rights are static and can’t be adapted for temporary changes such as when an employee may require access to data in another department. The limitation of restrictions when utilizing RBAC can leave the network exposed to data breaches. The concept of pre-assigned roles in an access control approach does not work in a dynamic, ever evolving digital environment where access requirements should be as flexible and capable of being changed in real-time.
Role-Based Access Control focuses solely on a user’s role and doesn’t take into account other contextual attributes such as time and location. It is not sufficient to examine only a few of the elements. In order to authorizing access to business resources safely, access control solutions must consider the circumstances surrounding the request, and not just the role of the person making the request
Role explosion from expansion. As companies grow, more and more roles are defined with only slight differences. Once thousands of roles are created, management of all these positions becomes increasingly complicated and less effective. There is an increase in risk exposure with RBAC and problems can arise with auditing and compliance due to lack of visibility of the process.
Policy-Based Access Control (PBAC) is able to leverage the best of Role-Based Access Control, while offering a more fine-grained, scalable, and dynamic solution where management is able to oversee and make changes in real-time.
To compare the differences, between RBAC and PBAC, click here to download our most popular Whitepaper: Policy Based vs Role-Based Access Control: The Truth