Role-Based Access

Control
 Introduction to Access Control and
RBAC
•What is RBAC?
•A security model that associates permissions with roles rather than
individual users.
•Roles represent job functions or responsibilities within an organization.
•Users are assigned to roles based on their qualifications and
responsibilities.

•Key components of RBAC:

•Users: Individuals accessing the system.
•Roles: Collections of permissions assigned to job functions.
•Permissions: Authorizations to access or perform actions on system
resources.
•Sessions: Dynamic associations between users and roles.
Challenges in DAC
• There may be large number of users with similar permissions
• Users are evolving (Resign / Role Changes)
• New permissions needs to be applied for all users.
Core RBAC Model
•Deep dive into the core RBAC model.
•Discuss the components in detail (users, roles,
permissions).
•Explain the assignment process: users to roles,
roles to permissions.
•Use diagrams and examples to illustrate concepts.
Benefits of RBAC
•Efficiency: Centralized management of permissions through
roles.
•Flexibility: Easy to assign and revoke permissions by
managing roles.
•Scalability: Handles organizational changes and growth
effectively.
•Security: Reduces the risk of unauthorized access by
controlling permissions through roles.
RBAC Models
•Core RBAC:
•Basic RBAC model with users, roles, and permissions.
•Users are assigned to roles.
•Roles are assigned permissions.
•Hierarchical RBAC:
•Introduces role hierarchies where roles can inherit permissions from parent
roles.
•Example: Manager role inherits permissions from Supervisor role.
•Constraint-Based RBAC:
•Adds constraints to control role assignments and permissions.
•Examples: cardinality constraints (maximum number of users per role),
separation of duties (preventing conflicts of interest).
Implementation Considerations
•Role Engineering: Identifying and defining appropriate roles based on
organizational structure and responsibilities.

•Permission Assignment: Assigning permissions to roles based on job

requirements.

•User Assignment: Assigning users to roles based on their qualifications and

responsibilities.

•Session Management: Managing active user sessions and role

assignments.

•Auditing and Monitoring: Tracking role assignments, permission changes,

and user activities.
Challenges and Limitations
•Role Explosion: Overly complex role structures can lead
to management difficulties.

•Granularity: RBAC might not provide sufficient fine-

grained access control in some cases.

•Dynamic Environments: Changes in organizational

structure or job responsibilities can impact role
assignments.
 Example: Hospital System
•Roles: Doctor, Nurse, Administrator, Patient

•Permissions: Access patient records, prescribe

medication, manage patient appointments, view test
results.

•Role Hierarchy: Administrator can perform all actions,

Doctor and Nurse have specific permissions
Conclusion
• RBAC is a powerful and widely used access control model that offers
several advantages in managing permissions and security.
• Understanding its core concepts, models, and implementation
considerations is crucial for effective security management.