Role-based access control has benefits for security

Aug 1, 2001 12:00 PM, Laurie Murrell

Businesses can group individual users into assigned groups that map their job responsibilities or common security privileges. Managing limited numbers of groups is simpler than managing hundreds to millions of individual users.

The Cincinnati Insurance Companies (CIC), subsidiaries of Cincinnati Financial, provide a range of home, auto, business and life insurance services. To strengthen service, the organization is moving its forms and manuals online and enabling its 965 insurance agencies to purchase or modify insurance policies for customers via the Internet.

Ensuring e-security in such an application, however, can seem like a daunting task. Financial institutions and insurance companies, as a rule, serve a variety of individuals with varying backgrounds and needs — from large corporate customers, to small businesses, to individual customers and vendors. The needs of users in each of these groups vary even more.

E-businesses can employ role-based access control (RBAC) to manage increasingly large numbers of users securely. Using RBAC, businesses can group individual users into assigned groups that map their job responsibilities or common security privileges and therefore manage limited numbers in groups as opposed to managing hundreds to millions of individual users. In turn, businesses can pass these roles and security policies to delegated administrators within the company or to their partner organizations, which can efficiently control and manage their own groups of users. As a result, users gain access to only that information they need to complete their jobs, and privacy of data is protected.

In using this technology, the Cincinnati Insurance Companies have centrally defined users' roles based on individual applications. For each application the company makes available on the Web, a corresponding role is created. The company has also created a delegated administrator role, which grants the power to create, modify and delete individual users and their assigned roles. CIC assigns each of its agencies a delegated administrator responsible for managing the users (employees) at that agency. These delegated administrators are responsible for ensuring the proper roles are assigned to each user at the agency to grant secure, proper access to CIC's Web resources.

Roles

Roles can be created and managed by grouping together access privileges and administrative capabilities that meet the access needs of users in a group. Often, roles are based on job responsibilities. When a sales agent, for example, signs on as a new user, the person is assigned the appropriate role that automatically allows access to all Web applications and services needed to perform the job. It is an easy, efficient way to set access privileges for users. It also provides an efficient mechanism for altering access privileges for common groups of users in the future. If a company needs to modify the privileges of sales agents for any reason, an administrator can simply modify the role, meaning the privileges of all sales agents' will be updated. Depending on the needs of a company, roles can be centrally created and stored, or each organization can be responsible for creating and modifying its own roles through role hierarchies.

Role hierarchies

Like multi-role support, role hierarchies are key to efficient Web access control.

Role hierarchies enable the assignment of roles to individual organizations, which allows the roles to be customized to fit the needs of each organization. To ensure the highest levels of security, delegated administrators can grant access to only those privileges that they themselves have been granted. The top-down hierarchy creates a secure, efficient model for organizations to modify roles to meet their needs without circumventing the limitations of their Web access.

Delegated administration

Delegated administration is the key to managing rapid user growth. It allows a company to delegate user management to the lowest logical level within an organization. This concept applies to both internal and external organizations.

A company offering online services, for example, can delegate user management to individual managers of internal departments. Those managers become responsible for creating users while assigning, creating, and modifying roles solely for their group.

This concept also applies to external organizations. A company's business partners, suppliers and customers can manage users in exactly the same way — by delegating management. Because no delegated administrator can assign any privilege that they themselves have not been assigned, security is maintained no matter how many levels are created in a hierarchy.

How it worked for CIC

The one-to-one role to application relationship works well for CIC. As its Web services grow and evolve, however, they may wish to modify the role-creating method. In the future, it may make more sense for the company to create roles that reflect the total needs of a particular type of user (as mentioned before, this is typically done by job responsibility).

For example, the company could create an “administrative assistant” role, which would be given access to all the applications someone in that role would need to use. The delegated administrator at an insurance agency could simply assign a single role, “administrative assistant,” to a user, who would be granted the full set of access privileges assigned to that role.

Additionally, if CIC decides it wants to empower delegated administrators to create customized roles for their organizations, they can easily make that change within their security infrastructure. With RBAC, Cincinnati Insurance Companies has the flexibility to make this change easily.

CIC is reaping the benefits of RBAC, which provides the mechanism needed to create roles and delegate management of individual users out to each insurance agency. CIC is well-positioned to manage growth and can make changes to roles as its Web services evolve and as the needs of its customers change.

For the record

About the author

This article was written by Laurie Murrell, a strategic marketing manager for OpenNetwork Technologies, a developer of e-business security software.

Benefits of RBAC

Role-based access control (RBAC) offers e-businesses a secure method for efficiently managing Web users. Benefits of an RBAC solution include:

• Increased security: Users' profiles and privileges can be modified rapidly if delegated administrators manage them. Changing policies and updating user profiles in a timely manner can help maintain high levels of security.

• Security of complex organizations: RBAC provides the ability to model complex organizations through the creation of roles and the delegation of their administration. Changes can be made quickly as an organization and its security policies evolve.

• Reduced complexity: Distributing administration to delegated administrators is a centralized method for managing large groups of users, thus reducing the complexity of the process.

• Reduced costs: Administering Web authorization data is cumbersome and can create a long-term financial burden. By using delegated administrators, a company can outsource the workload to administrators within customer, supplier and partner organizations, ultimately reducing costs.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue