Role Based Access Control

Role Based Access Control

• It is based on the concept that privileges and other permissions are associated with A organizational roles, rather than individual users. Individual users are then assigned to appropriate roles.

• For example, an accountant in a company will be assigned to the Accountant role, gaining access to all the resources permitted for all accountants on the system. Similarly, a software engineer might be assigned to the Developer role.

• In an RBAC system, the roles are centrally managed by the administrator. The administrators determine what roles exist within their companies and then map these roles to job functions and tasks.

• Roles can effectively be implemented using security groups. The security groups are created representing each role. Then permissions and rights are assigned to these groups. Next, simply add the appropriate users to the appropriate security groups, depending on their roles or job functions.

• A user can have more than one role. And more than one user can have the same role.

• Role hierarchies can be used to match natural relations between roles. For example - A lecturer can create a role student and give it a privilege "read course material".

• Role Based Access Control (RBAC), also known as non discretionary access control.

• RBAC security strategy is widely used by most organizations for deployment of commercial and off-the-shelf products.

Advantages:

(1) The security is more easily maintained by limiting unnecessary access to sensitive information based on each user's established role within the organization.

(2) All the roles can be aligned with the organizational structure of the business and users can do their jobs more efficiently and autonomously.

Disadvantages:

(1) It is necessary to understand each user's functionality in depth so that roles can be properly assigned.

(2) If roles are not assigned properly then inappropriate access right creates security severe problems for database system.