Role-Based Access Control
Role-Based Access Control (RBAC), is an Identity Management (IAM) administrator's best friend, significantly improving IAM capabilities with its many features.
RBAC restricts network access to users, based on their Role in an organization, assisting to provide appropriate access to users, and only the information which pertains to them.
Roles are a form of digital identity, associated with permissions related to specific applications, defining what the member of the Role can or cannot do with their access.
These application specific permissions are referred to as Entitlements, which provide a specific set of privileges, within a specific application. Example: WordPress User Entitlement vs WordPress Admin Entitlement.
Planning Your Access Control Policy? Download our Free Template Download: Access Control Policy template Get started with our free 11-page customizable template. Add, remove, or edit any sections.
Using IAM Roles, decreases the time it takes to manage user access rights and user permissions, and adds extra levels of role-based security to your organizational architecture, preventing unauthorized access.
In the past, administrators used Access Control lists to maintain employee access records, which required frequent manual updates and reconciliation.
In the present, many organizations still use Access Control lists, which are an expensive solution to an easily solved problem.
By using Roles, organizations can ensure users have the access they need, with the least privileges available, to accomplish their daily tasks, and support operational efficiency.
Access to sensitive or restricted information is controlled
Entitlements vs. Roles
The term “Role”, is used by many applications when referring to their Predefined Application-Specific Roles.
Consequently, terms can be confusing, so let's take a moment to explain:
Applications typically have Predefined Application-Specific Roles, which are used to control what a user can and cannot do.
When an Application is added to an Identity and Access Management System, each of those Predefined Application-Specific Roles, is considered a specific Entitlement within the application.
Entitlements are individual privileges within specific Applications, and we refer to all Predefined Application-Specific Roles, as Entitlements.
IAM Systems use Roles to bundle a collection of Applications, along with the corresponding Application specific Entitlements.
Those collections of Applications and Entitlements are assigned to Roles, and Roles are assigned to users, to provide users with the least privileged access.
ABC Application offers a Basic User Role (Entitlement), which allows basic access to the application.
That Same Application also offers an Administrator Role (Entitlement), which offers full permissions, with no limitations.
Identity and Access Management Systems, see each of these Predefined Application-Specific Roles, as individual Entitlements, within specific Applications.
Additionally, if the Application is integrated with your IAM System, or “Connected”, you are able to configure your own custom sets of Application specific permissions, called Entitlements.
Custom Entitlements can be configured, even if the Application does not offer this set of permissions as a Predefined Application-Specific Role.
The added advantage is greater control of user access to the Applications used in your organization. Additionally, Roles created in an IAM System are not limited to a single Application.
IAM Roles can extend to several Applications and corresponding Entitlements, creating highly configurable “Roles” in your Identity and Access Management System.
Want our team to help you improve security and drastically cut your daily work?
Just book a 10-minute call.
7 Reasons You Should Be Using RolesRoles are a highly effective tool, used to prevent unauthorized user access to sensitive organization data. Below are 7 reason why we believe IAM Roles are a necessity for all organizations:
1. Everyone Needs ThemEnterprise organizations of 500+ users commonly use Role-Based Access Control for their Identity and Access Management needs. Although, Roles can be quite impactful for even the smallest organization, who occasionally need to hire new staff, and who only have only a handful of users. Roles are highly customizable, which assist organizations of all sizes, and offer automatic provisioning and deprovisioning during various job change scenarios like, a location, job title, or department change.
Initial on-boarding and provisioning of new users, item by item, can be a very time consuming task, if it’s done manually.
Providing users with Birthright Access to resources, in the form of Roles, provides employees with the necessary tools automatically, on day one, drastically eliminating employee downtime, and freeing up the hands of administrators and IT employees, allowing them to focus on other important tasks.
3. Position Changes
When using Roles, changes to an employee job title, department, or location, become effortless. With a simple Role change, reprovisioning users with the correct access becomes automatic.
Removing user access when they leave an organization is a critical task. With Roles, one change can remove user rights to any number of applications assigned.
5. Human Error
Role-Based Access Control also does an excellent job of eliminating human error through automatic provisioning and deprovisioning with Role conditions.
Role conditions are configured to user account attributes, and if an attribute changes within a user account, provisioning and/or deprovisioning to the resources connected to the Role, happens automatically.
6. Third-Party Users
Companies will frequently need to provide access to a specific set of resources, to third-party contractors.
Having predetermined third-party Roles, allows organizations with the option to quickly provide a collection of resources, adjusted based on specific requirements, to all third-party contractors.
Finally, RBAC assists organizations with limiting user access to sensitive or restricted information, reducing security and compliance risks.
By assigning IAM Roles to users, organizations can meet statutory requirements within a defined automation process.
Role Based Access Control Example
To fully understand how Role Based Access Control works, let's look at this simple example:
Let's assume organization “ABC” has hired a new employee, Jack. Jack's position is an entry-level Marketing Employee, who requires access to entry-level Marketing Resources, without any administrator or managerial permissions.
Company ABC has three Marketing Roles set up within their Identity and Access Management System; Marketing Manager, Marketing Team Lead, and Marketing Employee.
When ABC on-boards Jack into their IAM System, they will first assign him the Role “All Employees”. This will provide him access to resources used by all users within the organization.
Those resources consist of three applications, and three entitlements within those applications:
- Gmail & Basic User Entitlement
- Slack & Member Level Entitlement
- Zoom & Basic User Entitlement
Jack will also be assigned the Role “Marketing Employee”, which will provide him with another set of resources, specific to his job title:
- WordPress & WordPress Editor Entitlement
- SalesForce & Custom Marketing Entitlement
- PipeDrive & Regular User Entitlement
By assigning Jack these two Roles, he will have Birthright Access to a set of resources, which will automatically provide him with the resources he requires to complete his job.
Birthright Access IAMAn IAM (Identity and Access Management) System uses predefined Roles, to provide new users specific groups of permissions, in the form of Applications and their corresponding Entitlements. We refer to the original groups of permissions as Birthright Access, which is access granted from the start of the User Identity Lifecycle, in the form of Roles. Using these types of Birthright Roles, drastically decreases the time it takes to on-board organizational resources and accounts, into a new User Identity. This process allows the user to immediately start work, eliminating any wait time, while other departments complete lengthy operational processes.
Birthright Access in IDHub
IDHub makes it easy to manage Role based permission access to new users, by providing an option to automatically assign a set of Roles while on-boarding all users, or specifically defined users.
Taking it a step further, IDHub has an advanced Role Condition feature.
Role Conditions assist with determining various scenarios, through a configured set of rules, or Conditions.
IDHub uses conditional rules to automatically assign Birthright Access to newly on-boarded users with the “Role Condition Query”. This query allows us to combine multiple conditions, using “and/or”, to form the query.
Attribute-Based Access Control
Attribute-Based Access Control (ABAC) varies slightly from Role-Based Access Control (RBAC).
RBAC provides user access to resources, based on Role assignment, where ABAC provides user access to resources, based on resource attributes and user attributes.
Attributes can include name, email, location, operating system, time of day, network, security clearance, or device type.
This added layer of security allows systems to have more granular control over its users, and protect against outsiders using a compromised user account maliciously.
Location-Based Access Control
A specific type of ABAC is Location-Based Access Control (LBAC), which manages access to users based on their location.
Some locations within the same organization may have similar Roles, but the Roles have slightly different resources attached to them.
Configuring Roles by location, automatically grants Role access to users who meet the condition criteria.
Location-Based Access Control Example:
ABC Company has two locations; US-Central and US-East.
The US-Central IT user needs access to a different set of resources than a US-East IT user.
Therefore, two distinguishing Roles are configured based on locations; US-Central IT Employee Role and US-East IT Employee Role.
Location-Based Access Control allows organizations to completely control access to specific users, based on their location, job title, and/or department, depending on where they access the system.
Location-Based Access in IDHubSuppose a user is newly on-boarded, has a job title change, a department change, or a location change. IDhub will recognize the user attribute change, and automatically grant or revoke Role access according to the conditions configured within the Roles. IDHub matches the resource attributes within the Role, against the user account information, then appropriately provisions or deprovisions the resources which are assigned to the Role.
Role Management in IDHub
Managing Roles in IDHub, is a simple process.
During Role creation, configuration is required, and then used to maintain the pre-defined Role definition over time, throughout the lifecycle of the Role.
IDHub only grants System Administrators access permissions, to fully manage Roles.
IDHub Role Advantages
Bulk Role Uploads
IDHub allows admins to upload multiple Roles within seconds, with a simple file upload.
Location-Based Access Control
Roles can be configured to provide access to uses within specific organization locations.
Roles can also be configured to provide access to only high-risk applications or applications that require confidentiality
Configure Roles for your organization, based on whether the Role can be requested by users, or only provided by IDHub administrators.
Define Roles in your organization, which restrict user access to non-pertinent, sensitive organization data. View every step that took place during the Request Lifecycle and Approval Process, for that Role.
When users match a Role condition, they are automatically provided with access to applications and entitlements within that Role.
Using Roles to control Birthright Access, greatly reduces the time and effort involved when managing and controlling access to users. Automatic provisioning gives your IT department more time to focus on other important tasks.
What are you waiting for?
Try A Self-Guided Live Tour Right Now!
Role Management Processes
- Defining a New Role for Creation
- Creating Role Conditions for Role Assignment
- Mapping Roles to Applications and Entitlements
- Role Authorization for Users
- Role Maintenance & Modification
- Disabling Roles
- Retiring Roles
Role Features Available for End-UsersTypically, entry-level users would not have any interaction with user Roles. However, IDHub provides custom functionality, not available in other solutions. Role Access Requests - Users can view and request access to a specific Roles, via the centralized Search Catalog. All Users have permission to request Roles for themselves, or on behalf of another User. Save & Share Roles - Roles, as well as all other resources, can be saved to custom, shareable lists. Users can share their lists with other Users. If a list becomes popular, a System Administrator can use that list to create a new a Role. View Available Roles - All users can view active Roles within the organization, to see who has access to what Roles. Users can also view resources within a Role, to help determine if other Roles are more appropriate for their job, instead of making multiple resource requests.
Frequently Used Role Types In IAM Systems.
Condition / Attribute-Based Access Control
Users are automatically added to a Role when their user attributes are matched to the conditions configured within the Role. Automatic Role assignment, provides immediate access to the Applications and Entitlements within that Role assignment.
Location-Based Access Control
Configure access to users within specific organization locations.
Configure access to high-risk Applications, or Applications that require confidentiality.
Configure Roles based on commonly needed resources that are frequently used.
Configure custom Roles which apply company-wide, or only within a specific department.
Download The Editable 11 Page Access Control Policy Template