HI Marc,

thanks for the explanation.

can you please share some kind of implementation guide for this?



On Mon, May 16, 2016 at 3:45 AM, Marc Boorshtein <
marc.boorsht...@tremolosecurity.com> wrote:

> > I would like to know more about RBAC. like what is RBAC and what can be
> > achieved with RBAC.
> >
> > anyone please share some good topics about this as i am getting so many
> and
> > the information's mentioned on those are different.
>
> I can imagine.  RBAC (Role Based Access Control) was created on the
> idea that what systems, applications and entitlements you need should
> be based on your job function.  Its a way of mapping business policies
> to to technical authorizations.  An example would be that someone in
> accounts payable shouldn't have access to the same systems as someone
> from accounts receivable.  So in RBAC terms you would have a "Role"
> called "Accounts Payable" that might map to groups in a directory for
> "access to check system" and "access to vendor system" but another
> "Role" called Accounts Receivable that has access to other groups.
> Then you have something to audit against "Why does someone with Role X
> have groups that aren't tied to that role?".
>
> In practice, this rarely works.  Few enterprises do that good of a job
> defining the roles and responsibilities for their employees at an HR
> level that trying to enforce those roles in technology is hopeless.
> Also, RBAC models are very rigid and hard to change so if you need to
> grant someone access to a system thats "one off" to get something done
> it breaks the entire model (unless your technology can handle it).
> What often happens is you get into a situation where every user could
> have their own role, completely breaking the RBAC model.
>
> In my decade plus of identity management implementations across pretty
> much every vendor and several industries I can't think of any RBAC
> based models that were successful, but several that were complete
> failures.  I was told going into a meeting at one large customer
> "Don't even mention RBAC or the meeting will be ended and we'll be
> out."
>
> Hope that helps
>
> Thanks
> Marc
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to