IAM Role Based Access Control
Role Based Access Control (RBAC) restricts network access to users, based on their Role in an organization, assisting to provide appropriate access to users, and only the information which pertains to them.
Roles are a form of digital identity, associated with permissions related to specific applications, defining what the member of the Role can or cannot do with their access.
These application specific permissions are referred to as Entitlements, which provide a specific set of privileges, within a specific application. Example: WordPress User Entitlement vs WordPress Admin Entitlement.
Entitlements Vs. Roles
The term “Role”, is used by many applications when referring to their Predefined Application-Specific Roles.
Applications typically have Predefined Application-Specific Roles, which are used to control what a user can and cannot do.
When an Application is added to an Identity and Access Management System, each of those Predefined Application-Specific Roles, is considered a specific Entitlement within the application.
Entitlements are individual privileges within specific Applications, and we refer to all Predefined Application-Specific Roles, as Entitlements.
IAM Systems use Roles to bundle a collection of Applications, along with the corresponding Application specific Entitlements.
Those collections of Applications and Entitlements are assigned to Roles, and Roles are assigned to users, to provide users with the least privileged access.
RBAC Example
Organization “ABC” hired a new employee, Jack. Jack's position is an entry-level Marketing Employee, requiring access to entry-level Marketing Resources, without any administrator or managerial permissions.
Company ABC has three Marketing Roles set up within their IAM; Marketing Manager, Marketing Team Lead, and Marketing Employee.
When ABC on-boards Jack into their IAM, they first assign him the Role “All Employees”. This will provide him access to resources used by all users within the organization.
- Gmail & Basic User Entitlement
- Slack & Member Level Entitlement
- Zoom & Basic User Entitlement
Jack is also assigned the Role “Marketing Employee”, which will provide him with another set of resources, specific to his job title:
- WordPress & WordPress Editor Entitlement
- SalesForce & Custom Marketing Entitlement
- PipeDrive & Regular User Entitlement
By assigning Jack these two Roles, he will have Birthright Access to a set of resources, which will automatically provide him with the resources he requires to complete his job.
Location Based Access
A specific type of ABAC is Location-Based Access Control (LBAC), which manages access to users based on their location.
Some locations within the same organization may have similar Roles, but the Roles have slightly different resources attached to them.
Configuring Roles by location, automatically grants Role access to users who meet the condition criteria.
IDHub RBAC
IDHub Roles are super flexible, accommodating all the key topics mentioned above.
To learn more about Role based access in IDHub, visit our page: IDHub Role Based Access