RBAC Essentials


A Role Based Access Control (RBAC) model is an essential Enterprise Information Management foundation.

A Role Based Access Control (RBAC) model attaches business defined roles to classifications of content. When the content is defined in a functional model structure the RBAC model fits extremely well and becomes an elegant and simple way to implement secure access.

The first step in implementing an RBAC model is to define a strong functional model. By strong I mean not a mix of subject and functional, but as close to a functional model as possible. That is to say organize your high-level folders according to their purpose, not the subject they are about.  

Once the functional structure is created then to each function, sub-function or folder, assign roles the business will use to access that content at that level and at any level below that. Roles would be like a "Manager", "Director" or employees or "Staff" for a business area.  Access would be Read-only, Write, Delete or Administrate.  

Access to documents is via a role not by individual permissions.  Employees, contractors or vendors gain access to folders and documents by being assigned to a role.  The role then gives them access to all folders and documents to which that role has been attached.

When new people are added to the organization they are added to roles and this gives them instant access to the documents. When they are terminated from an organization or no longer need access to the content, they are removed from roles and this instantly removes them from access to the content.

Examples of roles include: CEO, CEO Executive Administrator, CFO, Senior Financial Manager, Director, or Finance Staff. These are names defined by the business area and are created while reviewing the functional structure and who is expected to have access to which content.

Adding or removing people from roles is a responsibility of the business area and an organization should use a tool that allows business teams to manage these roles on the organization's directory access structure.  

We couldn't find a tool that provides this simple functionality so we built one.  Essentially it provides a simplified view for a business area of the roles to which they have authority to manipulate and allows them to add and remove people from these roles.  When selecting people they can must choose from either the internal or external branch of the corporate directory.

The tool has a substantial amount of security built into, to provide complete auditability to changes made to the access control for business content.  For example when staff are added to roles, a notification is sent to two senior managers, and the manager for information security in the organization, as a precaution against conflict of interest from senior managers who have access change request authority, improperly requesting access be provided to themselves.

Adding or remove roles and role assignments to folders should be left as the responsibility of the content server tool technical administration team, often called the systems administration team.

Business area changes to roles or role assignments to folder structures should be discussed and reviewed with both the Information Management and Information Technology teams.  This review should be brief and straightforward and confined to ensuring access control standards and naming standards are followed consistently in the organization.  

There is much to be discussed about the RBAC model for an Enterprise Information Management program, but the important summary points are that it works most elegantly and simply on a Functional Model. Secondly, roles are defined and self administered by the business area for adding and removing staff.