Role Based Access Control (RBAC) is commonly used within the Identity Governance and Administration (IGA) domain - The easiest way to define this term, would be to define what we mean by a 'Role', 'Access' and 'Control'.
What do we mean by 'Role' ?
The word role can have various definitions and use cases. At ideiio, we want to simplify this. When we talk about roles we're either talking about the identities 'category' or 'job role'.
A category is a way of grouping identities within your organisation together who have common access permissions regardless of job role, i.e. 'contractors', 'permanent staff', 'students' or 'lecturers'.
A job role can describe a job function within an organisation. The job function can be a set of skills or actions that an identity carries out e.g. 'business lecturer', 'consultant', 'asset finance controller', 'remote worker' or 'office worker'.
What do we mean by 'Access' ?
Put very simply - we mean giving people in your organisation (e.g. staff, contractors, students) the capability to use the applications or tools they need to do their job.
The fancy buzzword we use for the tools or applications people need is 'resources'.
Resources can be applications, Active Directory group memberships, hardware, user accounts or application entitlements that people within your organisation will need.
Entitlements are specific permissions within an application that when assigned to a person grant them elevated privileges within the application or restrict what actions the person can perform within the application.
What do we mean by 'Control' ?
With ideiio you can control access by granting or removing it when needed - in other words, you can manage when, how or what access a person is given.
For example, when a person joins your organisation, ideiio grants access to one or more resources the person requires based on their category, this is also known as a 'birthright'. Similarly to category, ideiio also grants resource access to a person based on their role/s.
ideiio constantly evaluates and manages what set of resources a person should have access to based on the identities category and role/s.
When a person leaves, their access to resources would be removed, reducing security risks.
So what does RBAC actually mean without the buzzwords?
Put simply, RBAC is a process for controlling who has access to what in your organisation.
The 'who' or 'what' is determined by the role the person has (category and job role/s).
So how does that relate to ideiio ?
ideiio automates the RBAC process for your organisation in a simple and intuitive way.
This reduces the manual strain your organisation may have in managing access of identities.
Do you have a helpful diagram? - YES WE DO
The diagram below demonstrates an example RBAC configuration - an explanation is provided beneath the diagram.
Level 1Category (Birthright).Staff The person joining belongs to the staff 'category', they will be granted a login account and access to email as a 'birthright'. (ideiio allows you to define what access should be given at each level).
|
Level 2Job role.Developer The person joining is a developer, so they get access to developer applications. (ideiio can assign both 'coarse-grained' and 'fine-grained' access to applications). Resource access at each level:
|
Level 3Self service access request.Application catalogue The person can request additional resource access using the ideiio application catalog. (ideiio allows you to define what resources the people in your organisation can request access for).
|
Glossary for those buzzwords
Term | Description |
---|---|
ideiio | ideiio is an Identity Governance and Administration (IGA) system that provides a platform delivering identity lifecycle management in an intuitive way. ideiio is built up of components such as ideiio core, identity bridge, identity portal and the governance portal. |
Identity Governance and Administration | Identity Governance and Administration (IGA) can be described as a framework that encompasses policies relating to the management of identities within an organisation. These policies can be based upon industry standard practices or legally required government standards. |
Identity | A digital record that represents a person within an organisation which records the attributes that make a person unique. |
Self service access request | The process by which an identity can request access to additional systems through an online application catalogue. |
Category | A category is a way of grouping together identities within your organisation, i.e. 'contractors', 'permanent staff', 'students' or 'lecturers'. |
Resource | Resources can be applications, Active Directory group memberships, hardware or user accounts for applications that people within your organisation will require for their job. |
Birthright | A birthright or birthrights can be described as one of more resources that are assigned to a person based on their category. Birthrights would be assigned to a category so when a person joins your organisation, ideiio grants access to one or more resources the person requires automatically based on their category. |
Entitlement | Entitlements are specific permissions within an application that when assigned to a person, can grant them elevated privileges within the application or used to restrict what actions the person can perform within the application. For example, a person can be granted an 'admin' entitlement allowing them to perform elevated actions within that application, or a person could be granted a 'default' entitlement. |
Coarse-grained | Granting a person initial access to a resource based on a role or category. |
Fine-grained | Granting a person specific access to an application via an entitlement, e.g. 'admin access' or 'default access'. |