RBAC or Role Based Access Control is still an increasingly popular topic! Quite frequently, organizations I meet still stress the importance of finding a structured way to manage and grant authorizations across their network. Often, I run into situations where the organization is simply doling out authorizations, based on a copy of a colleague who has a "similar" job function. This will result in many new employees gaining access to systems and applications that they simply should not or do not need. Often then, little attention is paid to the removal of authorization access after copying a user which can greatly increase risks in information security and licensing fees.
Establishing an RBAC model is one possible way to solve this problem. RBAC should consist of a matrix of roles, functions and specific access rights. For example, when a new employee joins the organization, the RBAC matrix will determines what the new employee will be allowed to do in the network. That's the theory, though, in practice it appears populating such a matrix can be problematic. Clients are always telling me that within their organizations, there are so many special cases that it ends up seeming as if there are as many roles as there are employees. With this resulting in an infinite and unworkable matrix, it's no wonder so many companies have been afraid to implement RBAC. On the other hand, many organizations jump right in striving to get 100 percent of the employees in the RBAC matrix and fail. I feel, that in most cases, this is improbable and may require years of both management’s and the Security Officer’s time to implement.
Want a quick start with RBAC? It is quite feasible if you do not target 100 percent in the first instance. Based on information from the HR system, it is possible to explore the 50 most common combinations of departments and functions within the organization. This allows the completion of up to 80 percent of the RBAC matrix almost immediately. Then, a workflow application can be used to fill using the remaining 20 percent - manually entered by the manager of an employee.
It may still be a while before the RBAC matrix is completed 100 percent, but by leveraging existing systems and sources - such as the HR system - and the focus of the manager - the population of the RBAC matrix can be a manageable process with direct results. The result is a positive ROI with respect to the feasibility of RBAC and the amount of effort required to enforce positive IT auditing standards. An indirect benefit is often a reduction of licensing costs, storage requirements and security incidents. More information available at http://www.tools4ever.com/solutions/RBAC/