Role-based access control (RBAC) is a way to give or restrict users’ permissions within a certain software by assigning roles to them. A certain scope of permissions is defined for each role. Individual roles are subsequently assigned to individual users. This approach is used mainly by larger organizations because it would be difficult and uneconomic to maintain the permissions individually for every person (user).
What are the advantages of assigning permissions to the users through roles?
In contrast to making individual settings for every individual user, RBAC brings the clarity. Another advantage is the possibility to “match” the roles defined in a software to the positions in an organization. This makes it easier to define what permissions should be granted to each role - position, so the workers are able to perform their duties given be their scope of work. This reduces the risk that an employee will have an unauthorized access to sensitive data or to any other information that he or she simply shouldn’t be able to see given his or her position.
Where is RBAC used?
It is commonly used in large scale information systems and applications with dozens or more users. In organizations, there can be a large number of roles - approximately as many as there are positions. But roles can also be used in smaller and simpler software or by websites, in which case the number of roles is limited to a few basic roles. An e-shop, for example, could make use of the role of a regular user, administrator and sales representative.
What is the RBAC deployment procedure?
Roles and their assignment should be based on positions in an organization, each of which has a specific range of powers and responsibilities. This also indicates the necessary extent of permissions in terms of access to information or functions of an information system. Based on this information, for each position in an organization, there should be a role created and defined through a certain set of permissions. Then, each role is assigned to all the people (users) working on the corresponding position.
Software must allow such approach. The permissions must be definable to an extent that is required by the situation. For example, software containing sensitive or personal data must allow you to make detailed settings for permissions to data, that is to say, to be able to define what roles can access what data and what actions they can perform.
Advanced applications also allow you to assign multiple roles to one user.
- Define each role through a set of permissions
- Roles are assigned to the users
Thus, the user’s permissions correspond to the assigned roles.