So, you want to use Role Based Access Control – Where should you begin?

I have been on many different projects where clients say they want some sort of RBAC (Role Based Access Control) solution but they don’t seem to be aware of the work involved or the payoff it can bring an organization. Before going any further I quickly want to go over what RBAC is. RBAC is a way of managing access within an organization. This is done by grouping similar access into roles and assigning them to users which can be based on policies or locations. When a company begins with RBAC one of the most important questions to ask is ‘What is your goal with using RBAC?’ There are many different answers to this but normally I always structure these answers in four categories. They are Security, Compliance, Efficiency and Agility. Each focus has a different approach to beginning and utilizing RBAC. I will be discussing the two that I hear often and those are Security and Efficiency.

Let’s start with Security since I believe this is one of the most requested. Companies that focus on RBAC from a security point of view have either found or had incidents where users with rights have broken a security policy. This can be anything from toxic right assignment (example: a user having the rights to create and approve their own expense report), or a user who has left the company who can still access company assets. Whatever the reason the most important thing to begin with is to get control over what you currently have now. This can be done using Attestation or Certification for an organization. This process goes through the current rights assignment and lets managers or application owners attest if users should have access. While this process is going on its important to start role mining (analyzing your user to access relationships) or building a role model to ensure control and stability.

The second one is Efficiency. This one is very different for many organizations. It can begin with automating onboarding and off boarding or can be as simple as the service desk is overwhelmed with requests for access. These issues seem to be the bottle neck of an organization as well as the most expensive. To ease the situation and begin to improve functionality my approach would be to begin with role mining and start to identity the locations or applications with a high overhead or costs. From there you can begin to develop a role model in steps and start making changes immediately. This will improve the organizations processes and begin the role model creation.

As you can see there is no ‘one answer’ to beginning with Role Based Access Control. It is important to determine what the business needs to know which step works best for the organization. For my next post, I will do more in depth about beginning with role mining and attestation or certification.

For more information about RBAC or beginning a project contact:


Rachel van Wijk

IAM Architect – IonIT