1. Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC) is an access control method where permissions are given to roles, and users are assigned those roles.
In simple words: User → gets a Role → Role has Permissions.
- Easy to manage large systems
- Reduces complexity
- Improves security
Example: In a college database: Student can view marks, Teacher can update marks, and Admin has full access.
2. Limitations of RBAC
- Role explosion – too many roles in large systems
- Difficult role design and maintenance
- Not flexible for temporary permissions
- Management overhead in complex systems
3. Core RBAC
Core RBAC is the basic and minimum RBAC model. It includes:
- Users
- Roles
- Permissions
- User-Role Assignment
- Role-Permission Assignment
Flow: User → Role → Permission
Example: User = Rahul, Role = Teacher, Permission = Update Marks.
4. Hierarchical RBAC
Hierarchical RBAC allows roles to inherit permissions from other roles.
In simple words: Senior role gets all permissions of the junior role.
Example: Admin → Teacher → Student (Admin inherits Teacher and Student permissions).
- Reduces duplication
- Improves management
5. Statically Constrained RBAC
Statically Constrained RBAC applies rules when roles are assigned to users.
It restricts which roles a user can hold together.
Example: A user cannot be both Accountant and Auditor.
Constraint is checked before role assignment (Static Separation of Duty - SSD).
6. Dynamically Constrained RBAC
Dynamically Constrained RBAC applies rules during role activation.
User may have multiple roles but cannot use conflicting roles at the same time.
Example: A user can have Maker and Checker roles but cannot activate both together in one session.
Constraint is checked at runtime (Dynamic Separation of Duty - DSD).
7. Limitations of RBAC (Detailed)
- Cannot handle data-based permissions
- Not suitable for very small systems
- Needs proper planning
- Limited flexibility in dynamic environments
8. Comparing RBAC with DAC and MAC
Discretionary Access Control (DAC)
- Owner decides permissions
- Flexible but less secure
Mandatory Access Control (MAC)
- System decides permissions
- Very secure but rigid
Role-Based Access Control (RBAC)
- Roles decide permissions
- Balanced security and flexibility
| Feature | DAC | MAC | RBAC |
|---|---|---|---|
| Who decides access | Owner | System | Role |
| Security Level | Low | Very High | High |
| Flexibility | High | Low | Medium |
| Used in | File systems | Military | Enterprises |
9. Access Control Policy (in RBAC Context)
In RBAC, access control policy is defined using roles, role hierarchy, constraints, and permissions.
It answers: Who can do what and under which role.
10. Integrating RBAC with Enterprise IT Infrastructure
Enterprises use RBAC for centralized security and large user management.
- Centralized control for multiple users
- Works with databases, applications, and operating systems
- Improves security consistency
11. RBAC for WFMSs (Workflow Management Systems)
WFMS controls business processes and approvals.
RBAC in WFMS assigns roles to workflow steps ensuring proper authorization.
Example:
- Employee submits request
- Manager approves
- Finance processes payment
Each step is assigned a specific role.
12. RBAC for UNIX Environment
UNIX uses users, groups, and file permissions. RBAC enhances UNIX security with roles.
- Roles instead of direct permissions
- Temporary role activation for admin tasks
- Better administrative control
Example: A user activates admin role only when needed.
13. RBAC for JAVA Environment
In Java, RBAC is implemented through the Java Security Manager and application roles.
- Permissions are assigned to roles like USER, ADMIN
- Used in web and enterprise Java applications
Example: Admin role can access admin APIs; User role cannot.
Summary
- RBAC = Access based on roles
- Core RBAC = Basic model
- Hierarchical RBAC = Role inheritance
- Static Constraint = Checked at assignment time
- Dynamic Constraint = Checked at runtime
- RBAC vs DAC vs MAC = Role vs Owner vs System
- RBAC used in enterprises, UNIX, Java, WFMS
No comments:
Post a Comment