A Pragmatic Approach to RBAC

1
A Pragmatic Approach to RBAC

• Oxford Computer Group
• Hugh Simpson-Wells
• Dave Nesbitt

2
What Are Roles?

• Organizational roles what we do at work
• IT roles what we are permitted to do on a
  particular system or application
• Collections of privileges
• Users (or groups of users) are assigned to roles
  and inherit these privileges

Permission
Permission
Permission
John Smith (person)
administrator (role)
3
Role-based Access Control

• Standard access control is per user
• RBAC means managing access based on a users role
• In AD, group membership is analogous to role
  membership

4
Access Control with Group Membership
Group access rights?
Yes
Token
5
Application Roles

• Group memberships in AD are application roles if
  used to manage permissions
• People will probably have more than one
  application role
• They may have no direct relation to a persons
  job title

Permission
AD Group 1
Permission
AD Group 2
SAP Role 1
John Smith Sales Assistant
SAP Role 2
6
Oxford Pragmatic Role Solution
Enterprise Role
Application Roles
Permission
cnsales assistants
AD Group 1
Permission
ousales
AD Group 2
Jack Black
SAP Role 1
Sales Assistant
John Smith
SAP Role 2
7
Role-Based Provisioning with MIIS

• When provisioning using MIIS, our goal is to
  automatically put users into the right
  Application Roles
• Could be a native role (SAP etc)
• Could be an AD group
• Could just be some atttributes
• Fine-grained authorization
• But how?
• Manually using an interface
• Automatically being driven by data from another
  source such as HR
• Pragmatically a combination of both

8
Role-Based Provisioning
ADAM
Admin creates new user
Role1, Role2
MIIS
HR
Import Employee
Consumer Systems
Export Users
Group1
Which application roles does this user need?
cngroup1 cngroup2
9
Manual Role Assignment
ADAM
User Admin
Administrator adds user to an Enterprise role
User object is imported to MIIS
Role1, Role2
MIIS
HR
Import Employee
Consumer Systems
Export Users
Group1
MIIS reads the users role info and makes
provisioning decisions
cngroup1 cngroup2
10
Automatic Role Assignment
User object exported to ADAM and put into an OU
that has an Enterprise role(s) associated with
it, or put into ADAM groups with an Enterprise
role associated
ADAM
Role1, Role2
MIIS
HR
Import Employee
Consumer Systems
Export Users
Group1
MIIS reads the users role info and makes
provisioning decisions
cngroup1 cngroup2
11
Application Role Discovery with MIIS
Create analogs of these roles as appRole objects
in ADAM using OUM
ADAM
Import appRoles to MIIS join to groups/roles
MIIS
HR
Import Role Objects
Flow changes in role/group memberships out as
attribute flow
Consumer Systems
Import Group Objects
12
Role Mining with MIIS

• Import users from HR and target systems,
  including their current roles
• Join them up
• Export them to a SQL 2005 instance
• Analyse the data to see the most common
  relationships between HR jobTitle and
  permissions/roles
• Where there is a significant correlation, make
  that a de-facto role for that job title
• Where there isnt, do it manually.
• Come back in 6 months and check again.

13
Role Mining with MIIS
ADAM
MIIS
HR
Project users
Consumer Systems
Join Users
14
Role Mining with MIIS
15
Role Mining with MIIS
16
Oxford Computer Group

• www.oxfordcomputergroup.com
• tel 44 (0)8456 584425 fax 44 (0)8456 584426
• dave.nesbitt_at_oxfordcomputergroup.com
• neil.coughlan_at_oxfordcomputergroup.com