What is Role Based Access Control (RBAC) and why do we care?
Role Based Access Control (RBAC) is a method of managing access to a system based on the roles of individual users within an organization. We care because it simplifies managing permissions, increases security, and ensures only authorized users can access specific resources.
Describe a Role/Permission hierarchy that you might implement using RBAC.
In a company, there could be roles like ‘Employee’, ‘Manager’, and ‘Admin’. ‘Employee’ might have read access to project data, ‘Manager’ could have read/write access to project data and read access to financial data, ‘Admin’ has full access to all data.
What approach might you take to implement RBAC?
Implementing RBAC typically involves defining roles based on job functions, assigning permissions to those roles, then assigning individuals to those roles. For example, in a software, roles can be created and permissions set programmatically.
If Authentication is “you are who you say you are,” what is Authorization?
Authorization is “you are allowed to do what you are trying to do.” It’s the process of verifying if the authenticated user has the right permissions to perform the requested action.
Name three primary rules defined for RBAC.
Three primary rules for RBAC are: Role Assignment (a subject can exercise permission only if the subject has selected or been assigned a role), Role Authorization (A subject’s active role must be authorized for the subject), and Permission Authorization (A subject can exercise a permission only if the permission is authorized for the subject’s active role).
Describe RBAC to a non-technical friend.
RBAC is like a club’s VIP list. The bouncer (system) lets you in (authentication) because you’re on the list (a user in the system). Once inside, your wristband color (role) determines what areas you can access (authorization).
What Are access rights Associated with? The User? or The Role? Explain.
Access rights are associated with the Role, not the User. This means that instead of directly giving permissions to each user, we assign them to a role, and then that role is assigned to the user. This way, if multiple users have the same job, they can just be assigned the appropriate role.
Access Rights, or Authorization, is activated after a user successfully does what?
Access Rights or Authorization is activated after a user successfully authenticates. This means once the system verifies the user’s identity, it then checks what actions they are authorized to perform based on their role.
Explain how RBAC might benefit a business.
RBAC can benefit a business by simplifying permission management and enhancing security. For instance, it can prevent unauthorized access to sensitive data and allow administrators to quickly update user permissions by simply changing their role, rather than updating individual user settings.