RBAC: Role Based Access Control

Content was last updated in 06.22.08-00

Revision History

In relation to Cyber Security, Role-based access control (RBAC) is a method of restricting access to a Computer, Software Application, or Network Node based on the role of individual users within an enterprise. This way, access is restricted only to authorized (not just legitimate) users. Additionally, RBAC is an approach to implement discretionary access control as an additional layer of security over an obove mandatory access control done through Identity and Access Management.

At a functional level, RBAC ensures that employees access only information they need to do their jobs and restricts them from accessing information that doesn't pertain to them. An employee's role and even the hierarchy in an organization determines the permissions that individual is granted.

From a business perspective, RBAC alleviates overall security as it relates to compliance, confidentiality, privacy, and access management to resources and other sensitive data and systems.

Selective access: RBAC systems can support users having multiple roles at the same with specific permissions for each role.

Three primary rules are defined for RBAC:

• Role assignment: A subject can exercise a permission only if the subject has selected or been assigned a role.

• Role authorization: A subject's active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized.

• Permission authorization: A subject can exercise a permission only if the permission is authorized for the subject's active role. With rules 1 and 2, this rule ensures that users can exercise only permissions for which they are authorized.