Access Control

My reading notes for Code Fellows

Access Control

5 steps to RBAC

What is Role Based Access Control (RBAC) and why do we care? RBAC is the idea of assigning system access to users based on their role within an organization. The system needs of a given workforce are analyzed, with users grouped into roles based on common job responsibilities and system access needs. Access is then assigned to each person based strictly on their role assignment. With tight adherence to access requirements established for each role, access management becomes much easier.

Describe a Role/Permission heirarchy that you might implement using RBAC.

  1. Basic User: Access any employee would need
  2. Customer Service: Read/Write access to the database
  3. IT: Access to the systems
  4. Admin: Access to sensitve data and systems

What approach might you take to implement RBAC?

I would first analyze the needs of the organization. I would focus on how each role interacts with clients, and shape access around what each role needs to access in order to serve the clients they impact. Then, I would restrict access to only that needed to fulfill those roles.

wiki - RBAC

If Authentication is “you are who you say you are,” what is Authorization?

Authorization is the role or roles one is expected to be able to perform. It is one’s permission to affect their environment.

Name three primary rules defined for RBAC.

  1. Role assignment: A subject can exercise a permission only if the subject has selected or been assigned a role.
  2. Role authorization: A subject’s active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized.
  3. Permission authorization: A subject can exercise a permission only if the permission is authorized for the subject’s active role. With rules 1 and 2, this rule ensures that users can exercise only permissions for which they are authorized.

Describe RBAC to a non-technical friend. Just as access to information can be granted on a need-to-know basis, RBAC is about making sure that access to information is limited to the extent that people are on a need-to-access basis. This means that an organization’s potential libility is lessened by making sure that information is as controlled as possible. It also protects people within that organization by making sure that they can’t inadvertently disclose something that isn’t relevant to their role.

RBAC tutorial

What Are access rights Associated with? The User? or The Role? Explain.

Access rights are assocuated with the role. Everyone has different roles to play in an orginazation, and limiting access to only the information needed to fulfill one’s role makes sense.

Access Rights, or Authorization, is activated after a user successfully does what? once a user is authenticated, they can be activated.

Explain how RBAC might benefit a business. Limiting access keep liability properly managed