[Freeipa-users] How RBAC defined.
Ben .T.George
bentech4you at gmail.com
Mon May 16 05:02:37 UTC 2016
HI Marc,
thanks for the explanation.
can you please share some kind of implementation guide for this?
On Mon, May 16, 2016 at 3:45 AM, Marc Boorshtein <
marc.boorshtein at tremolosecurity.com> wrote:
> > I would like to know more about RBAC. like what is RBAC and what can be
> > achieved with RBAC.
> >
> > anyone please share some good topics about this as i am getting so many
> and
> > the information's mentioned on those are different.
>
> I can imagine. RBAC (Role Based Access Control) was created on the
> idea that what systems, applications and entitlements you need should
> be based on your job function. Its a way of mapping business policies
> to to technical authorizations. An example would be that someone in
> accounts payable shouldn't have access to the same systems as someone
> from accounts receivable. So in RBAC terms you would have a "Role"
> called "Accounts Payable" that might map to groups in a directory for
> "access to check system" and "access to vendor system" but another
> "Role" called Accounts Receivable that has access to other groups.
> Then you have something to audit against "Why does someone with Role X
> have groups that aren't tied to that role?".
>
> In practice, this rarely works. Few enterprises do that good of a job
> defining the roles and responsibilities for their employees at an HR
> level that trying to enforce those roles in technology is hopeless.
> Also, RBAC models are very rigid and hard to change so if you need to
> grant someone access to a system thats "one off" to get something done
> it breaks the entire model (unless your technology can handle it).
> What often happens is you get into a situation where every user could
> have their own role, completely breaking the RBAC model.
>
> In my decade plus of identity management implementations across pretty
> much every vendor and several industries I can't think of any RBAC
> based models that were successful, but several that were complete
> failures. I was told going into a meeting at one large customer
> "Don't even mention RBAC or the meeting will be ended and we'll be
> out."
>
> Hope that helps
>
> Thanks
> Marc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160516/4e28b0f0/attachment.htm>
More information about the Freeipa-users
mailing list