48 
assigns permissions to roles rather than individual users. In this article, we will explain 
the benefits and challenges of RBAC, how to design and model roles, and how to 
enforce and audit them across multiple services and platforms. 
Benefits of RBAC. RBAC simplifies the management of access policies by 
reducing the complexity and redundancy of assigning permissions to each user. Instead, 
you can define roles that reflect the functions and responsibilities of different groups of 
users, such as administrators, managers, or customers. Then, you can grant or revoke 
access to these roles as needed, without affecting other users or permissions. RBAC 
also improves security and compliance by limiting the exposure of sensitive data and 
actions to only those who need them, and by providing a clear audit trail of who can do 
what in the system. 
Challenges of RBAC.
RBAC can be difficult to manage in a distributed system 
that consists of multiple services, platforms, and domains. Challenges include 
synchronizing and propagating role changes across different components and layers of 
the system without causing inconsistency or downtime, handling role inheritance, 
delegation, and constraints, dealing with role explosion due to an unmanageable 
number of roles, and balancing the trade-off between centralization and 
decentralization of role administration and enforcement. 

Designing and modeling role. The first step to implementing RBAC is to design 
and model the roles that you need for your system. This involves identifying the actors, 
resources, actions, and conditions that are relevant for your access control requirements. 
To help with this process, you can use stakeholder analysis to understand the users' and 
administrators' needs and expectations, use case analysis to define and document the 
scenarios and workflows supported by the system, entity-relationship modeling to 
create diagrams and schemas representing the entities, attributes, and relationships in 
the system, and role engineering to analyze and group the permissions and constraints 
associated with each entity or relationship. 

49 
Enforcing and auditing roles. The next step in implementing RBAC is enforcing 
and auditing the roles you have defined and assigned. To do this, you need to implement 
logic and mechanisms to check and verify access requests and decisions. Attribute-
based access control (ABAC) uses attributes or properties of users, resources, actions, 
and environment to evaluate access policies and rules. Policy-based access control 
(PBAC) uses a centralized or distributed policy engine or service to manage and execute 
access policies and rules. Token-based access control (TBAC) uses tokens or 
credentials that encode roles and permissions of users or services which are validated 
by resource providers or gateways. Audit logging and reporting collects, stores, and 
reports data and metadata of access events that occur in the system. 
Best practices and standards. The final step to implementing RBAC is to follow 
the best practices and standards that are available for your system and domain. Doing 
so can help you improve the quality, consistency, and interoperability of your RBAC 
solution, as well as comply with the regulations and norms that apply. Examples of 
these standards include the NIST RBAC model, which defines four levels of 
complexity from flat to hierarchical, the ANSI INCITS 359 (American National 
Standard for Information Technology) standard for role assignment, role activation, 
role authorization, and role review, the OASIS XACML (eXtensible Access Control 
Markup Language) standard for expressing access control policies in XML (eXtensible 
Markup Language) format, and the OAuth 2.0 framework for delegating and obtaining 
authorization for resources [16]. 

50 

Download 1.29 Mb.

Do'stlaringiz bilan baham: