Which of the following is the primary benefit of role-based access control (RBAC)? (Source: Wentz QOTD)
A. Prevent privilege creeping
B. Increase efficiency in granting privileges
C. Comply with the least privileges principle
D. Ease administration workload in a large organization
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Increase efficiency in granting privileges.
My questions are always written to provoke thinking. There are different perspectives on RBAC. The following justification stands for my perspective only. There is no correct or wrong answer.
No matter in a large or small organization, sound or poor operations, increased efficiency in granting privileges (to roles) is realized through RBAC. It is time-consuming to grant privileges to individual user accounts. A role, as a collection of privileges, is created to solve this problem.
The “Rights” depicted in the following diagram refers to privileges in this post.
Roles and Privileges
A role represents a collection of privileges. It’s like the subroutine or function in programming that can be reused and save much time not to repeat the routine steps. For example, security administrators or IT guys can grant privileges to a role once, then assign the role to multiple user accounts. Without a role, each user account requires time-consuming iterations of granting privileges.
The compliance of the least privileges principle is determined by people, not technologies. RBAC supports the least privileges principle but it doesn’t enforce the principle. Data owners or their delegates may not follow the least privileges principle properly even if RBAC is implemented. In other words, a role can be granted too many privileges.
In a large organization, the number of roles can be astonishing. To support the least privileges, roles can be sliced into small and trivial ones that increase the administrative workload in a large organization instead of easing it.
Once all the necessary roles are set up, this model doesn’t require a lot of maintenance and support from the IT department. Implementing RBAC can help you meet IT security requirements without much pain. On the other hand, creating a complex role system for a large enterprise may be challenging. The organization with thousands of employees can end up with a few thousand roles. This is known as role explosion, and it’s unavoidable for a big company.
Change management prevents privilege creeping. On the contrary, poor operations of RBAC may lead to privilege creeping. Creeping means a baseline is changed without authorization or approval. When an employee is transferred across various job positions, he or she may accumulate privileges because of unmanaged changes of roles or privileges.
- Role-based Access Control vs Attribute-based Access Control: How to Choose
- RBAC vs. ABAC Access Control Models: What’s the Difference?
- Using Suplex for RBAC Design
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
A. 防止特權潛變(privilege creeping)