« Learning from Ghana | Main | Price is what you pay, value is what you get »



I think where people get into trouble with RBAC is in taking it too literally and too strictly. Dingle hits the nail on the head when she talks about the importance of mapping roles and rules. I'm currently in the midst of my first IAM engagement where I'm trying to help my client get a start on RBAC. However, rather devolve into turgid rhetoric on subjects, objects, etc., I've instead focused on roles being logical groups of people with a shared set of access needs. Who gets that role is then based, in part, on the rules associated with accessing those resources, while also co-signed by a responsible manager who can attest to an individual's legitimate business need for access. Thus, I have individuals mapping to roles, resources mapping to access groups, and then roles having multiple access groups to their credit, with the corresponding business rules governing who can have the role. I think this diverges from the traditional RBAC approach, but feels much more effective to me.

The comments to this entry are closed.