Role-Based Access Control Knowledge

Kip Landergren

July 19, 2019 (Updated: November 07, 2023)

My RBAC knowledge base explaining the principle of least privilege, separation of duties, and helpful resources for further study.

Overview
Key Concepts
- Principle of Least Privilege
- Separation of Duties
External Resources

Overview

Role-based access control (RBAC) is a methodology for securing the operation of an organization. It focuses on defining “transactions” which control how actions are performed on objects. These transactions are then grouped and assigned to a “role” such that a component of the organization’s functionality may be performed. Subjects of the organization are then able to be assigned role(s) according to their responsibility and function.

RBAC makes no requirements on how permissions and roles are configured and assigned to subjects, but certain best practices should be considered:

Principle of Least Privilege
Separation of Duties

Key Concepts

Principle of Least Privilege

Give subjects no more than necessary to perform a job.

Separation of Duties

Allow no role to perform all transactions of a given set. Example: transactions “open a charge on an account” and “approve a charge on an account” would be assigned to two separate roles. This has basis in preventing fraud.

External Resources

Role-Based Access Controls by David Ferraiolo (NIST) and Richard Kuhn (NIST)
Role-based access control | Wikipedia