[Freeipa-users] How RBAC defined.

[Marc Boorshtein]

> I would like to know more about RBAC. like what is RBAC and what can be
> achieved with RBAC.
>
> anyone please share some good topics about this as i am getting so many and
> the information's mentioned on those are different.

I can imagine.  RBAC (Role Based Access Control) was created on the
idea that what systems, applications and entitlements you need should
be based on your job function.  Its a way of mapping business policies
to to technical authorizations.  An example would be that someone in
accounts payable shouldn't have access to the same systems as someone
from accounts receivable.  So in RBAC terms you would have a "Role"
called "Accounts Payable" that might map to groups in a directory for
"access to check system" and "access to vendor system" but another
"Role" called Accounts Receivable that has access to other groups.
Then you have something to audit against "Why does someone with Role X
have groups that aren't tied to that role?".

In practice, this rarely works.  Few enterprises do that good of a job
defining the roles and responsibilities for their employees at an HR
level that trying to enforce those roles in technology is hopeless.
Also, RBAC models are very rigid and hard to change so if you need to
grant someone access to a system thats "one off" to get something done
it breaks the entire model (unless your technology can handle it).
What often happens is you get into a situation where every user could
have their own role, completely breaking the RBAC model.

In my decade plus of identity management implementations across pretty
much every vendor and several industries I can't think of any RBAC
based models that were successful, but several that were complete
failures.  I was told going into a meeting at one large customer
"Don't even mention RBAC or the meeting will be ended and we'll be
out."

Hope that helps

Thanks
Marc