As the digital world progresses at a rapid pace, fewer business issues have become greater than information and IT security, with organizations around the world falling victim to security crises and lost productivity associated with delays in access to applications and systems. The security risks that an organization is exposed to as a result of orphan accounts, high-privileged access held by unauthorized users and access privileges carried by users as they move from one job function to another have been cited as the main IT audit findings.


As organizations look to streamline and improve the efficiency of their identity management (IdM) infrastructure and add value to existing IT relationships within the business, role-based access control (RBAC) is one solution that can be adopted by organizations to streamline efficiencies and apply access controls across all applications and systems in their enterprise. Traditionally, users are granted access rights on applications if they have the right approvals on an as needed basis. As a result, there is no standardization of access rights even for individuals performing the exact same job function.


The lack of baselines on user access has led to increasing pains in meeting compliance objectives and applying appropriate security controls. Applying the “least privilege” principle to user access is extremely difficult as organizations have at best a minimal view of the actual access held by individuals and have no means to strip user access down to a level appropriate for the job at hand.


Roles provide a way for companies to baseline access for each user based on his or her needs, as defined by the individual job function, and the tasks that are required. Roles also provide a way to assign groups of access rights as a single unit, rather than the traditional method of assigning individual access rights. This simplifies the procedure for managing user access and provides a basis for automating the access rights for individual jobs. When business roles are used in conjunction with user provisioning systems (IdM systems), organizations have the ability to achieve an automated solution for user provisioning/deprovisioning tasks and apply appropriate security controls in their environments.


RBAC may be applied across all applications to enable efficient access control by using business roles. Roles comprising a group of access rights on an individual application or across multiple applications can be assigned to a single individual or a group of individuals. Many applications use the RBAC framework internally for fine-grained access control to various functionalities and data objects. Increasingly, organizations are looking at applying the same framework to manage access control to multiple applications and systems by utilizing more comprehensive business roles. Organizations are looking at the use of RBAC to increase efficiency and implement security controls around user access.


Organizations are currently facing a number of challenges related to their current user access processes, including:


  • Inefficient user access process,
  • Lost productivity because of user access delays for employees/contractors/vendors and temporary workers,
  • Manual and cumbersome process for assigning access to users,
  • Terminated users who continue holding access to private applications – an inherent security risk,
  • Inability to track access rights for contractors,
  • Employees carrying access across departments and job levels when transitions and/or promotions occur,
  • Inability to track access rights of each individual user,
  • Manual and cumbersome processes for providing auditors with security controls around user access processes,
  • Inability to apply the “least privilege” principle,
  • No baseline of user access for each job function, and
  • Inability to track segregation of duty violations or prevent segregation of duty policies.

These challenges have provided an opportunity to revamp the current user access process and apply the RBAC framework to provide a more robust and secure environment.


There are six major components of a role-based access control solution. The close relationship between the components provides a structure to the model that imitates the general organizational structure, with the flexibility to be highly scalable with the organization's growth. Figure 1 demonstrates the RBAC component relationship architecture: 




The RBAC deployment methodology provides a systematic procedure for the deployment of all RBAC framework components. The following methodology is a proven process that has been built on successful deployments by RBAC software:

  1. Analysis and design: A detailed analysis of the current processes, applications and organizational structures allows a business team to prioritize applications, business units and processes that will provide organizations maximum ROI when moved to a role-based access control model.
  2. Technology deployment: The following steps are taken to build the infrastructure necessary for moving toward the RBAC framework:
    • Deploy an RBAC solution, and
    • Build an identity warehouse consisting of organizational structure, user identities, user context information and user account information (access rights) on all high priority applications (applications in scope).
  3. Top down approach: Launch entitlement certification for managers to certify the access held by their users.
  4. Start deploying the IdM solution (if needed) or

·      Develop workflows for the approval of role assignment (BPM or enterprise workflow engine) or

·      Set up email notifications to administrators when roles are assigned to users.


  1. Perform role engineering (using a hybrid approach).
  2. Ensure a manager signs off on roles to confirm appropriate access and properties.
  3. Assign role owners to roles.
  4. Create rules for the assignment of roles.
  5. Export the roles into the IdM solution, if one exists.
  6. Ongoing role management processes.
  7. Ongoing user on-boarding, off-boarding, transfer and modification processes.
  8. Role governance processes.
Additionally, when selecting an RBAC partner, organizations should be sure to contract with an organization that:


  • Completes the entire lifecycle of an identity, which allows for efficiency in implementation of the RBAC solution. The lifecycle beings by determining which users should have access to what data, allowing that access, and then meeting government regulations that cultivate operational efficiencies, which is the end of the lifecycle and the ultimate goal.
  • Understands its role in the compliance equation. Your RBAC partner should understand how to design and implement your solution to help meet your specific compliance needs, whether those needs are in relation to Sarbanes-Oxley, HIPAA or they myriad other federal regulations.
  • Has product-proven installations worldwide, which have generated an ROI for organizations in a range of industries. Your partner should have a cache of success stories and case studies that illustrate the value of their work.
  • Is a partner, and not a vendor. Your RBAC partner should get to know your organization, its values and your goals. They should work with you to set realistic timelines and specific objectives, as well as communicate with you every step of the way to ensure your needs are met.

Aligning roles to business responsibilities and the use of roles as an IT resource is a strong method to simplify the process of managing user access, saving the valuable time of both employees and employers. Loss in productivity is further diminished thanks to RBAC’s ease of use. Additionally, security is hardened by certifying users’ accessibility rights and ensuring employees are only allowed access to information pertinent to their roles, without interrupting everyday work. By managing the interrelationship between digital identities, a company’s IT infrastructure and critical business processes, organizations can better protect themselves against looming security failures that can disrupt operations, leading to financial, legal, human safety and personal privacy setbacks that can diminish public confidence.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access