Role Basics

Authorization is the security mechanism by which systems and applications determine a user’s privileges and access levels while using the system. Compliant access is concerned with defining and managing the policies that control user access to data and ensuring that the access is always position appropriate. Defining and maintaining compliant access for a large organization can be a daunting task. Some types of applications and use cases are better suited to a more structured role-based approach, and others require real-time contextual decisions. RBAC, ABAC, and PBAC are three ways of managing authorization policies.

Moreover, while both have overlapping qualities, individually, each one cannot cover all the necessary aspects of access control. For optimal, dynamic support of an IT organization’s needs, systems supporting the RBAC relational modeling system's richness with the flexibility and contextual nature of ABAC/PBAC offer the best solution. To optimally provide compliant access to such a diverse IT landscape, EmpowerID delivers a unique hybrid RBAC/ABAC/PBAC authorization model.

 

 

Figure: EmpowerID’s Innovative Hybrid RBAC/ABAC/PBAC Model

 

EmpowerID’s sophisticated role and relationship modelling allows security architects to model the organization and its structure and policies, including segregation of duties policies to prevent undesired combinations of access. Flexible attribute-based ABAC or PBAC policies support the centralized real-time decision point for applications that can call the EmpowerID API for authorization decisions. The ABAC/PBAC engine enhances or modifies the powerful RBAC engine's decisions, allowing their use only when greater flexibility or contextual information such as risk, location, and MFA type is required. ABAC/PBAC policies are made much more potent by including the pre-calculated access results that the engine derives from complex RBAC policies that account for inheritance and even attribute-based queries.

Defining position appropriate access for a large organization can be a challenge and maintaining it even more so. However, without this guideline, IT organizations are forced to resort to costly and inefficient manual processes making it more challenging to achieve Compliant Access. Defining and efficiently maintaining position appropriate access is only possible using Role-Based Access Control. Roles are bundles of access that can be assigned to users or linked to an organization’s policies. Roles optimize the delivery of Compliant Access by defining the access needed and appropriate for each type of employee or supplier that must be provisioned across an organization’s on-premise and Cloud systems. The flexibility and power of an Identity and Access Management solution’s RBAC model can make or break many projects. If poorly designed, no amount of consulting or engineering will lead to a manageable role model, and the RBAC system itself becomes the source of project failure. EmpowerID’s RBAC engine is the most sophisticated and often cited as the most significant single contributor to customer projects' success. For modeling role-based permission policies, EmpowerID offers a 3-tiered RBAC model with a Business Role tier, a Functional Role tier, and a Technical Role tier.

The EmpowerID hybrid RBAC/ABAC/PBAC model was designed to solve these common RBAC challenges:

·      Too Many Roles – “Role Explosion”

·      Roles Not Tied to an Authoritative Source Like SAP HR

·      Lack of Automation for Role Assignments/Revocation

·      Roles and Their Entitlements are Cryptic and Unintelligible to Business Users

·      Minimal Enforcement of Access Expirations and Renewals

·      Lack of a Centralized Policy Model and Authorization Service Across All Systems

·      Not a Future Proof Solution Allowing Bosch to Embrace New Areas Like IoT

 

The EmpowerID system uses

Role-Based Access Control (RBAC) is a framework designed to allow organizations to more efficiently manage permissions across applications and other protected IT resources.

The EmpowerID RBAC model is one that reflects the Resource-Based Access Control paradigm; the platform is resource-centric, not role-centric. This allows organizations to focus on what they are protecting.

EmpowerID has a three-tiered RBAC model.

Business Role: Business Role is a user-defined hierarchical container for grouping people. For more details please click here.

Management Role: Management roles are also known as functional roles. For more details please click here.

Technical Role: Technical roles are also known as resource roles or access level assignments. This is used to authorize operations performed in EmpowerID or grant native permissions to be pushed to external systems.

 

Related Docs Topics:

Roles Basics