The azad client recognized a need for more organization and security in their procedures for granting access to valuable information technology resources. The current best-practice method for managing access control is based on the assignment of Roles to Users. This process has resulted in a technique which the IT industry calls Role-Based Access Control or RBAC, and is formalized as an ANSI standard. In order to implement an effective RBAC system, an enterprise needs to build an RBAC Reference Model database. The RBAC database is then used by a computer access mechanism, such as Active Directory, to determine how access will be granted to computer system users and services.
azad Approach & Solution:
The azad client wanted to implement an RBAC reference model with the following characteristics:
- Maintain information describing roles and their assignments to users.
- Define role-based access mechanisms, such as privileges, resources and permissions on objects and operations.
- Build an ANSI standard RBAC model that supports:
- Core RBAC
- Hierarchical RBAC
- Static Separation of Duty Relations
- Dynamic Separation of Duty Relations
- Document the model using an ERwin data model.
- Collect and store relevant data in a SQL Server database.
- Provide Access forms for ease of maintenance and reporting.
To fulfill this assignment, the azad consultant researched the standards and requirements for ANSI RBAC using the text Role-Based Access Control by Ferraiolo, Khun and Chandramouli, Artech House Publishers (April 2003). This was followed by the development of a basic ERwin Data Model which evolved into a SQL Server database containing over 100 tables. An application was created using Microsoft Access which displays a menu and forms to maintain all of the RBAC database tables and relationships. A basic set of queries and reports were also provided.
The client has been able to use the model as a basis for several internal staffing reorganizations and for developing business processes and operating procedures.