Role Based Access Control

Role Based Access Control (RBAC; German: Role Based Access Control ) is in multi-user systems or computer networks, a method for controlling the access and control to files or services. The RBAC model was in 1992 by DF Ferraiolo and DR Kuhn described and adopted in 2004 as ANSI Standard 359-2004.

The alternative method, a real user (User) to give direct rights and access to various systems, presented by the increasing number of users to be confusing and therefore error-prone Represents the based on user roles concept is now to the rights based work processes to abstract.

RBAC model

Role-based access control are the users of the computer or network assigned roles. Users can thereby have multiple user roles. On a role, for example, one bound to n group affiliations. Depending on role mapping of the user ( and the associated group memberships ) issued or then the system locks the access right to resources. Often, especially reading, writing and execution of files can be controlled by RBAC; However, the method is not limited thereto.

A group is not necessarily a role equate. The reason for this is that the subdivision of the user operates by reference to the role in which, therefore, in the exercise which tasks they access the computer. The English word " Role" will clarify in IT-related German language, among other things Webmaster, Postmaster, Newsmaster, network administrators, system administrators, and the like is used, and should that not necessarily are different people, but that, for example, one and the same person checked it out in the role of the Webmaster Website, then reads complaints about its open mail relay in the role of Postmasters and installed next in the role of the system administrator software. Different access rights to the exercise, depending on the role may be necessary to make an assignment of a user to more than one group is required.

Because of the three-tier structure in users, roles and groups, it is possible to check access rights of a user through a Rollenzuordung and bonded thereto group assignments.

For the management of these assignments identity management systems ( IDM) are typically implemented. These allow the assignment of users to groups in each case 1 to n 1 to n computer systems merely by binding to at least one role. This requires, among other things, the establishment of a single user role concept. These systems also allow to ensure compliance with IT security requirements. A comparison must Gruppenzugehörigeit (s) can be a user in 1 to n computer systems with the role definitions in the rules of the IDM system in configurable time intervals. The IDM system can then correct this deviation ( non- compliance) on demand and thus ensure access consistency.

Use

The use of RBAC to manage user rights is widely regarded as the best method. This type of access control has been implemented in various systems. Systems such as Microsoft Active Directory, Microsoft SQL Server, SELinux, grsecurity, FreeBSD, Solaris, Oracle RDBMS, PostgreSQL 8.1, SAP R / 3, FusionForge and many more use an expression of RBAC model.