Overview
Role-Based Access Control (RBAC) is an access control mechanism that restricts network access based on the roles of individual users within an organization. Instead of assigning permissions directly to users (which is unmanageable at scale), permissions are grouped into "Roles" (e.g., "Nurse", "Teller", "Cloud Admin"). Users are assigned roles, and they inherit all associated permissions.
RBAC simplifies administration: when a user changes jobs, you swap their role. When a business process changes, you update the role, and all users update automatically. It is the cornerstone of scalable identity governance.
Architecture
Reference Pattern: The RBAC Hierarchy
The standard model separates Business Roles (Who you are) from Technical/IT Roles (What you can do).
Diagram
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| Role Modeling Approach | Top-down, Bottom-up, Hybrid | Hybrid | Top-down (HR logic) for birthright. Bottom-up (Mining) for specialized access. |
| Granularity | Coarse (Dept), Fine (Task) | Balanced | Too coarse = excessive access. Too fine = "Role Explosion" (more roles than users). |
| Ownership | IT Owned, Business Owned | Business Owned | IT doesn't know what a "Claims Adjuster" needs. The business must define the role. |
| Role Hierarchy | Flat, Nested | Limited Nesting | Keep hierarchy shallow (User -> Business Role -> IT Role). Deep nesting is a nightmare to audit. |
| Maintenance | Ad-hoc, Periodic Review | Scheduled Certification | Roles rot over time. Review role definitions annually. |
Implementation
Phase 1: Birthright Roles
- Create "All Employee" and Department-level roles.
- Map these to HR attributes (Job Code, Department).
- Automate assignment via IGA.
- Goal: Automate 50-60% of common access.
Phase 2: Role Mining & Engineering
- Analyze existing access patterns to find clusters.
- Define Functional Roles (e.g., "Accounts Payable Clerk").
- Validate candidate roles with business owners.
- Goal: Replace direct entitlement assignment with role-based assignment.
Phase 3: Dynamic & Policy-Based
- Introduce ABAC (Attribute-Based) constraints to roles (e.g., "Only valid 9-5").
- Implement role lifecycle management (retiring unused roles).
- Goal: Context-aware access and hygiene.
Risks
- Role Explosion: Creating a custom role for every user exception. You end up with 1,000 users and 1,200 roles.
- Toxic Combinations: A single role containing conflicting permissions (SoD violation within the role definition).
- Role Creep: Adding new permissions to a role over time but never removing old ones. The role becomes "God mode" slowly.
- Stale Definitions: The "Analyst" role still grants access to a system decommissioned 3 years ago.
KPIs
- Role Coverage: Percentage of total entitlements granted via roles vs. direct assignment (Target: > 80%).
- Users per Role: Average number of users assigned to a role (Higher is generally better for standardization).
- Role Count Trend: Is the number of roles increasing faster than the user base? (Sign of explosion).
- Role Certification Rate: Percentage of role definitions reviewed/approved by owners annually.