Page254
Role-Based Access Control
Role-Based Access Control (RBAC) defines how information is accessed on a system based on the role of the subject. A role could be a nurse, a backup administrator, a help desk technician, etc. Subjects are grouped into roles and each defined role has access permissions based upon the role, not the individual.
According to NIST, RBAC has the following rules:
- Role assignment: A subject can execute a transaction only if the subject has selected or been assigned a role. The identification and authentication process (e.g., login) is not considered a transaction. All other user activities on the system are conducted through transactions. Thus all active users are required to have some active role.
- Role authorization: A subject’s active role must be authorized for the subject. With (1) above, this rule ensures that users can take on only roles for which they are authorized.
- Transaction authorization: A subject can execute a transaction only if the transaction is authorized through the subject’s role memberships, and subject to any constraints that may be applied across users, roles, and permissions. With (1) and (2), this rule ensures that users can execute only transactions for which they are authorized [18].
Even powerful roles have limitations; for example, many organizations do not allow system administrators to surf the Web while using the administrator account. This keeps each role separate on the system and reduces the exposure of more sensitive accounts. Table 6.1 shows examples of differing data access based upon the role the user has on the system.
Table 6.1 RBAC.
| Role | Example Data Access |
|---|---|
| Basic user | Desktop applications: email, spreadsheet, web access |
| Auditor | System security logs, authentication server logs |
| Network engineer | Router logs, firewall logs, VPN concentrator logs |
Task-Based Access Control
Task-based access control provides an access control model closely related to RBAC. Task-based access control is based on the tasks each subject must perform, such as writing prescriptions, restoring data from a backup tape, or opening a help desk ticket. It attempts to solve the same problem that RBAC solves, focusing on specific tasks, instead of roles. Note that tasks could also serve as an attribute that informs Attribute-Based Access Control (ABAC) discussed later in this chapter.
Rule-Based Access Controls
As one would expect, a rule-based access control system uses a series of defined rules, restrictions, and filters for accessing objects within a system. The rules are in the form of “if/then” statements. An example of a rule-based access control device is a proxy firewall that allows users to surf the Web with predefined approved content only (“If the user is authorized to surf the Web, and the site is on the approved list, then allow access”). Other sites are prohibited and this rule is enforced across all authenticated users.
Attribute-Based Access Control (ABAC)
Attribute-Based Access Control (ABAC) represents a more recent approach to facilitating access control to modern information systems. Within ABAC, attributes of subjects and/or objects will be scrutinized to determine if their values meet the expected requirements for access being either granted or denied. The particular attributes to be assessed can be virtually anything that can be codified into the ABAC ecosystem. Common attributes that might be found within ABAC include: whether MFA is being employed, as well as how recently an MFA challenge has been met; location from which access is being requested (e.g., on-premises vs. remote); system from which access is being requested (e.g., company-owned laptop vs. employee-owned mobile device); interface being used for access (e.g., API vs. web portal). Most of the preceding list of attributes are subject-oriented attributes. Object-based attributes, such as the type of content being accessed, likewise also can play a significant role within ABAC access decisions.
While by no means exclusively relevant to cloud services, ABAC-oriented approaches are widely employed within cloud services as a modern and flexible ecosystem that can offer more dynamic approaches to controlling access when compared to traditional MAC, DAC, or even RBAC ecosystems.