WARNING: This site is intended for online use only; mass-downloading of pages degrades the server and is prohibited.
If you attempt to use tools to mass-download the site, you may be blocked permanently by automated software.
If you want to read this CertiGuide offline, please use one of the links on the left to purchase a convenient PDF copy. Thank you.

Like this CertiGuide? Get it in PDF format!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Google
Web CertiGuide






Table Of Contents  CertiGuide to Security+
 9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)
      9  1.1  Access Control

Previous Topic/Section
1.1.2  Discretionary Access Control (DAC)
Previous Page
Pages in Current Topic/Section
1
Next Page
 1.2  Authentication
Next Topic/Section

1.1.3  Role-Based Access Control (RBAC)

Role-Based Access Control49 (RBAC) allows you to define permissions and privileges based on a user’s functional role within the organization or community. One of the most challenging problems in managing large networked systems is the complexity of security administration. Today, security administration is costly and prone to error because administrators usually specify access control lists for each user on the system individually. Role-based access control (RBAC) is a technology that is attracting increasing attention, particularly for commercial applications, because of its potential for reducing the complexity and cost of security administration in large networked applications.

With RBAC, security is managed at a level that corresponds closely to the organization's structure. Each user is assigned one or more roles, such as “human resources rep” or “accounts payable data entry clerk”, and each role is assigned one or more privileges that are permitted to users in that role, such as the right to access certain applications.

Security administration with RBAC consists of determining the operations that must be executed by persons in particular positions, assigning employees to the proper roles, and then granting the required permissions to each role. Complexities introduced by mutually exclusive roles or by role hierarchies are handled by the RBAC software, making security administration easier. Additionally, administrative burdens are reduced because when a user is added or deleted from the system, it is not necessary to go to every access control rule involving that user, and update it. Instead, adding the user to the appropriate roles (or deleting them) automatically includes (or excludes) the user in the appropriate access lists.

Some operating systems, such as UNIX and Windows, implement a degree of role-based security by placing each user into one or more groups defining that user’s role in the organization, and controlling access to files and other objects by granting permissions to certain groups.

RBAC

RBAC allows access control to be defined in terms of organization structure and roles. For example, you can define that a customer order clerk can access your accounting system’s order entry application, but not the check writing application.


Figure 4: RBAC works well because it combines rules.

 

DAC or RBAC?

Does your organization use role-based access controls, or are your access controls primarily user-based? If you primarily employ user-based access controls, how often are you updating ACLs? If you’re doing this very frequently, you might save time by moving to a more role-based access control policy.



 __________________

49. http://csrc.nist.gov/rbac/

Previous Topic/Section
1.1.2  Discretionary Access Control (DAC)
Previous Page
Pages in Current Topic/Section
1
Next Page
 1.2  Authentication
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $


Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.