Role-based access control - definition & overview

Role-based access control (RBAC) is a critical capability for organizations that deploy applications into the cloud. With RBAC, IT security and operations analysts gain complete visibility and oversight into application permissions and the ability to easily manage who has access to cloud-based resources, what areas of the network can be accessed by users, and what types of actions users can perform with the resources they are permitted to use.

As enterprise cloud infrastructures continue to grow, IT professionals become responsible for securing a growing number of applications in increasingly complex cloud environments. Controlling user access to applications and resources within the cloud is a necessary step towards maintaining the security of the organization's information assets and proactively protecting against cyber attacks.

The methodology of RBAC grants access to cloud computing resources based on a user's role within the organization. With individuals in each role granted just enough flexibility and permissions to perform the tasks required for their job, the organization reduces the overall attack surface and level of vulnerability for cyber attacks.

The RBAC methodology is based on a set of three primary rules that govern access to secured systems:

1. Role assignment: Each transaction or operation can only be carried out if the user has assumed the appropriate role. An operation is defined as any action taken with respect to a system or network object that is protected by RBAC. Roles may be assigned by a separate party or selected by the user attempting to perform the action.
2. Role authorization: The purpose of role authorization is to ensure that users can only assume a role for which they have been given the appropriate authorization. When a user assumes a role, they must do so with authorization from an administrator.
3. Transaction authorization: An operation can only be completed if the user attempting to complete the transaction possesses the appropriate role.

In RBAC, each IT organization is free to establish its own characteristics for each role. Roles on the network can correspond directly to job roles within the organization, or they may simply represent sets of permissions that may be assigned or authorized for individuals based on other criteria.

With these three rules as a basic underpinning for all RBAC systems, things can get quite complex. A subject can have multiple role authorizations, switching freely between roles depending on the permissions they require to perform a specific task. This is common in enterprise security operations centers where IT security and operations analysts work side-by-side and may require different sets of permissions for security or operational tasks.

The National Institute of Standards and Technology (NIST) describes four different implementation models for RBAC. These are not standalone models. They are levels of the same model, with each one built on the requirements of the previous while adding new functional capabilities that enhance security and ease of use.

Level 1: Flat RBAC

Flat RBAC is based on the three primary rules of role-based access control. In addition, Flat RBAC systems should support many-to-many user-role assignments, and many-to-many permission-role assignments, and should allow users to use permissions of multiple roles at the same time.

Level 2: Hierarchical RBAC

Hierarchical RBAC incorporates all of the rules and capabilities of Flat RBAC along with support for hierarchies. A hierarchy defines relationships of seniority between roles where senior roles are assigned all of the permissions of roles that are junior to them. Hierarchies can be configured based on the needs of the IT organization and the capabilities of the software tool used to implement RBAC. Some tools impose hierarchical structures like trees or inverted trees, while others allow the IT organization more flexibility in designing a customized hierarchical model for assigning permissions.

Level 3: Constrained RBAC

A constrained RBAC incorporates all of the features of the hierarchical RBAC, along with support for the separation of duties (SoD). Separation of duties refers to the concept of requiring more than one person to complete a task. This means that if employees of the organization attempt to commit a fraudulent act, they must involve another individual at the organization with complementary permissions - significantly increasing the total risk of getting caught. Additionally, a cyber attack that gains access to a single account - even one with high-level permissions - may still lack the ability to do major harm because of SoD.

Level 4: Symmetric RBAC

The highest level of RBAC implementation, symmetric RBAC has all of the same requirements of constrained RBAC along with one new feature: support for permission-role review with performance similar to user-role review. The idea here is that enterprise IT organizations that wish to maintain permission assignments must be able to periodically review and adjust the permissions associated with each role. While this process can prove labor-intensive and difficult to manage, it enables organizations to effectively react to change and modify permission-role relationships accordingly.

For enterprise IT organizations that increasingly depend on cloud-based infrastructure and applications, there's no better way to maintain operational and security performance than with Sumo Logic.

Sumo Logic supports your role-based access control efforts with a cloud-native platform that monitors all network security events, including successful and failed authentication attempts for any application or system throughout your cloud infrastructure.

The Sumo Logic platform itself supports RBAC, making it easy for system administrators to selectively assign access to application data and resources based on the specific needs of target users, whether in security, operations or business management.