The Demo Site

Role Engineering for Enterprise Security Management (Information Security and Privacy)

Role-based access control (RBAC) promises to provide several benefits to organizations. These benefits include simplified security provisioning and administration, ease of reporting on privileges and to whom they are available, and finer grained security authorization. By being policy-neutral, RBAC can be used to enforce the variety of access control policies that various organizations already have in place or may develop in preparation for the adoption of RBAC. RBAC also provides specific features to facilitate implementation of access control policies. These features include capabilities to impose constraints on relationships among roles and among the components of roles, and the inheritance of permissions from one role by another that can simplify role design.

To employ RBAC it is first necessary to identify a set of roles for the organization. These roles must accurately reflect the activities, functions, and responsibilities within the organization. Roles have two major components: the names of the job functions performed by IT users, and the permissions that enforce an access control policy. The definition of roles is a process of discovering and then engineering requirements for access control. A methodology for establishing a valid set of role names with assigned permissions is needed. This book is designed to assist organizations in establishing such a role engineering methodology before starting a role engineering effort. Previous practical experience is applied to provide practical guidance in defining roles and in structuring the roles for use in controlling access to IT resources.