> I would like to know more about RBAC. like what is RBAC and what can be > achieved with RBAC. > > anyone please share some good topics about this as i am getting so many and > the information's mentioned on those are different.
I can imagine. RBAC (Role Based Access Control) was created on the idea that what systems, applications and entitlements you need should be based on your job function. Its a way of mapping business policies to to technical authorizations. An example would be that someone in accounts payable shouldn't have access to the same systems as someone from accounts receivable. So in RBAC terms you would have a "Role" called "Accounts Payable" that might map to groups in a directory for "access to check system" and "access to vendor system" but another "Role" called Accounts Receivable that has access to other groups. Then you have something to audit against "Why does someone with Role X have groups that aren't tied to that role?". In practice, this rarely works. Few enterprises do that good of a job defining the roles and responsibilities for their employees at an HR level that trying to enforce those roles in technology is hopeless. Also, RBAC models are very rigid and hard to change so if you need to grant someone access to a system thats "one off" to get something done it breaks the entire model (unless your technology can handle it). What often happens is you get into a situation where every user could have their own role, completely breaking the RBAC model. In my decade plus of identity management implementations across pretty much every vendor and several industries I can't think of any RBAC based models that were successful, but several that were complete failures. I was told going into a meeting at one large customer "Don't even mention RBAC or the meeting will be ended and we'll be out." Hope that helps Thanks Marc -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project