What Is Role Based Access Control (RBAC)?

Do I need Role-based Access control? What types of access can be controlled? Review the RBAC definition, examples and best practices.

Role-Based Access Control

Role-Based Access Control (RBAC), is an Identity Management (IAM) administrator's best friend, significantly improving IAM capabilities with its many features.

RBAC restricts network access to users, based on their Role in an organization, assisting to provide appropriate access to users, and only the information which pertains to them.

Roles are a form of digital identity, associated with permissions related to specific applications, defining what the member of the Role can or cannot do with their access.

These application specific permissions are referred to as Entitlements, which provide a specific set of privileges, within a specific application. Example: WordPress User Entitlement vs WordPress Admin Entitlement.

Planning Your Access Control Policy? Download our Free Template Download: Access Control Policy template Get started with our free 11-page customizable template. Add, remove, or edit any sections.

Using IAM Roles, decreases the time it takes to manage user access rights and user permissions, and adds extra levels of role-based security to your organizational architecture, preventing unauthorized access.

In the past, administrators used Access Control lists to maintain employee access records, which required frequent manual updates and reconciliation.

In the present, many organizations still use Access Control lists, which are an expensive solution to an easily solved problem.

By using Roles, organizations can ensure users have the access they need, with the least privileges available, to accomplish their daily tasks, and support operational efficiency.

Access to sensitive or restricted information is controlled

Entitlements vs. Roles

The term “Role”, is used by many applications when referring to their Predefined Application-Specific Roles.

Consequently, terms can be confusing, so let's take a moment to explain:

Applications typically have Predefined Application-Specific Roles, which are used to control what a user can and cannot do.

When an Application is added to an Identity and Access Management System, each of those Predefined Application-Specific Roles, is considered a specific Entitlement within the application.

Entitlements are individual privileges within specific Applications, and we refer to all Predefined Application-Specific Roles, as Entitlements.

IAM Systems use Roles to bundle a collection of Applications, along with the corresponding Application specific Entitlements.

Those collections of Applications and Entitlements are assigned to Roles, and Roles are assigned to users, to provide users with the least privileged access.

For Example:

ABC Application offers a Basic User Role (Entitlement), which allows basic access to the application.

That Same Application also offers an Administrator Role (Entitlement), which offers full permissions, with no limitations.

Identity and Access Management Systems, see each of these Predefined Application-Specific Roles, as individual Entitlements, within specific Applications.

Additionally, if the Application is integrated with your IAM System, or “Connected”, you are able to configure your own custom sets of Application specific permissions, called Entitlements.

Custom Entitlements can be configured, even if the Application does not offer this set of permissions as a Predefined Application-Specific Role.

The added advantage is greater control of user access to the Applications used in your organization. Additionally, Roles created in an IAM System are not limited to a single Application.

IAM Roles can extend to several Applications and corresponding Entitlements, creating highly configurable “Roles” in your Identity and Access Management System.

Want our team to help you improve security and drastically cut your daily work?

Just book a 10-minute call.

BOOK A CALL

7 Reasons You Should Be Using Roles

Roles are a highly effective tool, used to prevent unauthorized user access to sensitive organization data. Below are 7 reason why we believe IAM Roles are a necessity for all organizations:

1. Everyone Needs Them

Enterprise organizations of 500+ users commonly use Role-Based Access Control for their Identity and Access Management needs. Although, Roles can be quite impactful for even the smallest organization, who occasionally need to hire new staff, and who only have only a handful of users. Roles are highly customizable, which assist organizations of all sizes, and offer automatic provisioning and deprovisioning during various job change scenarios like, a location, job title, or department change.

2. On-boarding

Initial on-boarding and provisioning of new users, item by item, can be a very time consuming task, if it’s done manually.

Providing users with Birthright Access to resources, in the form of Roles, provides employees with the necessary tools automatically, on day one, drastically eliminating employee downtime, and freeing up the hands of administrators and IT employees, allowing them to focus on other important tasks.

3. Position Changes

When using Roles, changes to an employee job title, department, or location, become effortless. With a simple Role change, reprovisioning users with the correct access becomes automatic.

4. Revocation

Removing user access when they leave an organization is a critical task. With Roles, one change can remove user rights to any number of applications assigned.

5. Human Error

Role-Based Access Control also does an excellent job of eliminating human error through automatic provisioning and deprovisioning with Role conditions.

Role conditions are configured to user account attributes, and if an attribute changes within a user account, provisioning and/or deprovisioning to the resources connected to the Role, happens automatically.

6. Third-Party Users

Companies will frequently need to provide access to a specific set of resources, to third-party contractors.

Having predetermined third-party Roles, allows organizations with the option to quickly provide a collection of resources, adjusted based on specific requirements, to all third-party contractors.

7. Compliance

Finally, RBAC assists organizations with limiting user access to sensitive or restricted information, reducing security and compliance risks.

By assigning IAM Roles to users, organizations can meet statutory requirements within a defined automation process.

Role Based Access Control Example

To fully understand how Role Based Access Control works, let's look at this simple example:

Let's assume organization “ABC” has hired a new employee, Jack. Jack's position is an entry-level Marketing Employee, who requires access to entry-level Marketing Resources, without any administrator or managerial permissions.

Company ABC has three Marketing Roles set up within their Identity and Access Management System; Marketing Manager, Marketing Team Lead, and Marketing Employee.

When ABC on-boards Jack into their IAM System, they will first assign him the Role “All Employees”. This will provide him access to resources used by all users within the organization.

Those resources consist of three applications, and three entitlements within those applications:

Gmail & Basic User Entitlement
Slack & Member Level Entitlement
Zoom & Basic User Entitlement

Jack will also be assigned the Role “Marketing Employee”, which will provide him with another set of resources, specific to his job title:

WordPress & WordPress Editor Entitlement
SalesForce & Custom Marketing Entitlement
PipeDrive & Regular User Entitlement

By assigning Jack these two Roles, he will have Birthright Access to a set of resources, which will automatically provide him with the resources he requires to complete his job.

Birthright Access IAM

An IAM (Identity and Access Management) System uses predefined Roles, to provide new users specific groups of permissions, in the form of Applications and their corresponding Entitlements. We refer to the original groups of permissions as Birthright Access, which is access granted from the start of the User Identity Lifecycle, in the form of Roles. Using these types of Birthright Roles, drastically decreases the time it takes to on-board organizational resources and accounts, into a new User Identity. This process allows the user to immediately start work, eliminating any wait time, while other departments complete lengthy operational processes.

Birthright Access in IDHub

IDHub makes it easy to manage Role based permission access to new users, by providing an option to automatically assign a set of Roles while on-boarding all users, or specifically defined users.

Taking it a step further, IDHub has an advanced Role Condition feature.

Role Conditions assist with determining various scenarios, through a configured set of rules, or Conditions.

IDHub uses conditional rules to automatically assign Birthright Access to newly on-boarded users with the “Role Condition Query”. This query allows us to combine multiple conditions, using “and/or”, to form the query.

Attribute-Based Access Control

Attribute-Based Access Control (ABAC) varies slightly from Role-Based Access Control (RBAC).

RBAC provides user access to resources, based on Role assignment, where ABAC provides user access to resources, based on resource attributes and user attributes.

Attributes can include name, email, location, operating system, time of day, network, security clearance, or device type.

This added layer of security allows systems to have more granular control over its users, and protect against outsiders using a compromised user account maliciously.

Location-Based Access Control

A specific type of ABAC is Location-Based Access Control (LBAC), which manages access to users based on their location.

Some locations within the same organization may have similar Roles, but the Roles have slightly different resources attached to them.

Configuring Roles by location, automatically grants Role access to users who meet the condition criteria.

Location-Based Access Control Example:

ABC Company has two locations; US-Central and US-East.

The US-Central IT user needs access to a different set of resources than a US-East IT user.

Therefore, two distinguishing Roles are configured based on locations; US-Central IT Employee Role and US-East IT Employee Role.

Location-Based Access Control allows organizations to completely control access to specific users, based on their location, job title, and/or department, depending on where they access the system.

Location-Based Access in IDHub

Suppose a user is newly on-boarded, has a job title change, a department change, or a location change. IDhub will recognize the user attribute change, and automatically grant or revoke Role access according to the conditions configured within the Roles. IDHub matches the resource attributes within the Role, against the user account information, then appropriately provisions or deprovisions the resources which are assigned to the Role.

Role Management in IDHub

Managing Roles in IDHub, is a simple process.

During Role creation, configuration is required, and then used to maintain the pre-defined Role definition over time, throughout the lifecycle of the Role.

IDHub only grants System Administrators access permissions, to fully manage Roles.

IDHub Role Advantages

Bulk Role Uploads

IDHub allows admins to upload multiple Roles within seconds, with a simple file upload.

Location-Based Access Control

Roles can be configured to provide access to uses within specific organization locations.

Risk-Based Access

Roles can also be configured to provide access to only high-risk applications or applications that require confidentiality

Requestable

Configure Roles for your organization, based on whether the Role can be requested by users, or only provided by IDHub administrators.

Access Control

Define Roles in your organization, which restrict user access to non-pertinent, sensitive organization data. View every step that took place during the Request Lifecycle and Approval Process, for that Role.

Condition Based

When users match a Role condition, they are automatically provided with access to applications and entitlements within that Role.

Save Time

Using Roles to control Birthright Access, greatly reduces the time and effort involved when managing and controlling access to users. Automatic provisioning gives your IT department more time to focus on other important tasks.

What are you waiting for?

Try A Self-Guided Live Tour Right Now!

LIVE TOUR!

Role Management Processes

Defining a New Role for Creation
Creating Role Conditions for Role Assignment
Mapping Roles to Applications and Entitlements
Role Authorization for Users
Role Maintenance & Modification
Disabling Roles
Retiring Roles

Role Features Available for End-Users

Typically, entry-level users would not have any interaction with user Roles. However, IDHub provides custom functionality, not available in other solutions. Role Access Requests - Users can view and request access to a specific Roles, via the centralized Search Catalog. All Users have permission to request Roles for themselves, or on behalf of another User. Save & Share Roles - Roles, as well as all other resources, can be saved to custom, shareable lists. Users can share their lists with other Users. If a list becomes popular, a System Administrator can use that list to create a new a Role. View Available Roles - All users can view active Roles within the organization, to see who has access to what Roles. Users can also view resources within a Role, to help determine if other Roles are more appropriate for their job, instead of making multiple resource requests.

Frequently Used Role Types In IAM Systems.

Condition / Attribute-Based Access Control

Users are automatically added to a Role when their user attributes are matched to the conditions configured within the Role. Automatic Role assignment, provides immediate access to the Applications and Entitlements within that Role assignment.

Location-Based Access Control

Configure access to users within specific organization locations.

Risk-Based Access

Configure access to high-risk Applications, or Applications that require confidentiality.

Custom Requestable

Configure Roles based on commonly needed resources that are frequently used.

Configure custom Roles which apply company-wide, or only within a specific department.

Download The Editable 11 Page Access Control Policy Template

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie is set by CloudFlare. The cookie is used to support Cloudflare Bot Management.
__hssc	30 minutes	This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_ga_7700EB8V9Y	2 years	This cookie is installed by Google Analytics.
_gat_UA-25592398-7	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
CONSENT	16 years 4 months 20 days 7 hours 16 minutes	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
yt-remote-connected-devices	never	These cookies are set via embedded youtube-videos.
yt-remote-device-id	never	These cookies are set via embedded youtube-videos.
yt.innertube::nextId	never	These cookies are set via embedded youtube-videos.
yt.innertube::requests	never	These cookies are set via embedded youtube-videos.

Cookie	Duration	Description
_calendly_session	21 days	No description available.
_pk_id.5.06cb	1 year 27 days	No description
_pk_id.5.9967	1 year 27 days	No description
_pk_ses.5.06cb	30 minutes	No description
_pk_testcookie_domain		No description
_tcfpup	5 years	No description available.
_tcSecSess	session	No description available.
_tcSessInfo	session	No description available.
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
esig_session_id	1 day	No description
first_session	1 month 1 day	No description available.
shopmagic_visitor_e7ff0307268106c16d30573ee129c84c	1 year	No description
ti_ukp	5 years	No description available.
W_GUID	1 day	No description
W_LMT	1 day	No description