Guideline: Role-Based Access Control
UAM Home Page
RBAC is a method of regulating access to resources (protected objects) based on the roles of individual users within a system. In this context, access is the ability of an individual user to perform a specific task, such as view, create, or modify a file; or, in the case of an application, to perform certain functions or methods.
Relationships
Main Description

Role-Based Access Control is an approach to restricting system access to authorized users, and also user access to services and data. It is used by the majority of medium to large enterprises, and can implement mandatory access control (MAC) and discretionary access control (DAC). RBAC is sometimes referred to as role-based security. Also see: RBAC and Whitepaper: A Reference Model for Enterprise Security.

Roles in Context

A "roles-in-context" diagram is used to detail the interactions of roles and actors with the activities in the system. This example diagram is the ThuNorTech process Perform Lab Study, but is a simplified version showing only the relevant activities and with extraneous information removed, but with the roles added.

Technical roles model - roles in context 

At the Technical level exception handling has been added and roles have been refined and optimized.  

Roles Optimization

Going too granular with roles is difficult to manage, but aggregating roles too much is inflexible. Define an RBAC grid (see below) and analyze the options through various grid structures in terms of "users vs. actors vs. roles vs. activities". Once this is understood and finalized, the difficult and complex job of drilling down into individual user/actor/role actions and optimizing this becomes easier.

Airline Check-in Counter Example

In the example above, for example, would it better for the "Kathleen:Agent" to have the "Check-in Agent" role, the "Ticket Agent" role, and "Agent Manager" role that is a sub-type of "Middle Manager". A whole set of analysis is done to understand and optimize this structure—this is at the heart of the Roles Model. This analysis often isn’t done or at best poorly understood. The end result is to define the mapping of users to roles and to the required privileges at the technical level—part of the Technical Roles Model. THe other part of this analysis is the optimization of the required user interfaces; the GUIs.

A matrix is used to capture this RBAC information. Two kinds of matrixes are used, either the protected object centric or the set of protected objects presentation. They both capture the same information, but the latter may be more practical in terms of managing and using the information. Also see: Guideline: CRUD Matrix.  

RBAC permissions matrix for Protected Object “X”

Action

Role

Create

Read

Update

Delete

Execute

Manager

ü





ü



Author

ü

ü

ü

ü



Editor



ü

ü





Publish



ü

ü



ü

RBAC permissions matrix for a set of Protected Objects

Object

Role

Order

Invoice

Customer

Employee

Product

Sales VP

crud

crud

crud

crud

crud

Sales Manager

crude

crud

ru

r

r

Sales Rep

crud

r

ru

r

r

Stock Manager

-

-

-

r

ru

crude = create; read; update; delete; execute  

The following Role-Based Access Control table is from the ThuNorTech example IT architecture (see: Practice: Perform Lab Study TRM). It is quite a simple example, but illustrates the way in which these interactions may be analyzed and security aspects clarified and defined. Also, the further analysis done at the Technical level has simplified the roles and how they relate to the defined tasks. See the equivalent Logical Roles Model: Practice: Perform Lab Study LRM.

Managers typically can use the same functions and features as their staff, therefore a lab manager (user) would assume (have) the "Lab Manager" role and the "Lab Team" and "Tech Writer" roles and all of the access and privileges that go along with them. Some users may also have view access to functions that they would not normally use during the course of their duties. 

RBAC (coarse) permissions matrix for "activity" Protected Objects

The activities in a process are in the first column, and associated with defined roles. At the Technical level the analysis of roles is complete and all possible optimizations defined; optimizations of roles and also of associated GUIs.

Role

Activity/Action

Data Constraint

Lab Team

Tech Writer

Lab Manager

Plan Lab Study







ü

Check-out Lab Study

ü

ü



ü

Request Participation



ü



ü

Rx Partner Response



ü



ü

Cancel Lab Study







ü

Request Demo Products



ü



ü

Prepare Test Scripts & Data



ü



ü

Receive and Log Demo Products



ü



ü

Set-up Equipment



ü



ü

Do Tests



ü



ü

Analyze Test Results



ü



ü

Write Tech Report



ü





Edit Tech Report





ü

ü

The "data constraint" column indicates that there is need for managing access to the "lab study" object from a check-out and check-in perspective to avoid consistency and other problems.