How does role-based access compare with mandatory access control?

How does role-based access compare with mandatory access control?

Role-based access control (RBAC) and mandatory access control (MAC) are two very different methods of controlling access to files, computer resources and operating systems. However, they share the common goal of ensuring that only the correct individuals within an organization have access to information and data. Access control as a discipline is a fundamental component of data security and works alongside authentication and authorization to verify the identity of users, and in turn provide access to data their access allows.

Why is access control important?

Access control works to keep organizational data confidential including personal identifiable information, customer data, and intellectual property, among other types of data. Without a robust access control system in place, organizations are at risk of data leaks from internal and external sources, along with the possibility of errors being generated, intentionally or not, by users with inappropriate access for their job role . Limiting network access is particularly important in large organizations, highly regulated industries and for companies that permit access to their systems to contractors or other third parties.

What is role-based access control?

Role-based access control (RBAC), is an access control system that assigns permissions to users based on their role within an organization. Users within an organization are assigned to a particular role which can be their job role or based on their need to access certain information. Typically, the higher up in the organization the individual is, the more access they are granted to information, also within roles levels of access can be created based on the need to use certain systems e.g. read-only, editor or administrator.

When an employee changes positions or roles within an organization, their access will need to be altered accordingly. Adding or removing individuals to groups will grant or deny them with the permissions granted to that group. RBAC also allows users to be assigned access temporarily if they need to complete tasks outside of their normal permissions.

Advantages of RBAC

  • Operational efficiency
  • Limits administrative burden
  • Selective access
  • Security as a function of organizational structure
  • Flexibility to change permissions where needed
  • Increased visibility of access levels

What is mandatory access control?

Mandatory access control (MAC) is based on the level of security required to access a particular piece of data or computer system, with each resource being given a security label. The MAC model is based on creating a hierarchy of staff within an organization, with each level permitted different access based on their security level. Individuals in each tier will have access to all data and systems that are appropriate for their rank and all ranks below them. Mandatory access control uses a centrally managed model and reserves control over access policies to a centralised security administration. In this form of access control, users do not have the discretion of determining who can access data (even if they created the resource), as this is strictly controlled by the administrator.

MAC is widely used by government bodies, the military and other organizations dealing with highly sensitive information, as it delivers an extremely high level of data protection. There is a high level of set up involved at the outset in making sure an MAC system is based on the correct foundations, as these rules will be used to dictate the whole security process.

Advantages of MAC

  • High level of data protection
  • Centralised control
  • Suited to hierarchical structures

Role Based Access vs Mandatory Access Control

Although MAC delivers a higher level of security compared to RBAC system, the burden on the central administrator of setting up and maintaining the system can be onerous. Processing new access requests can be time consuming as the individual’s place in the hierarchy will need to be determined by the administrator. Whilst this may be a price worth paying in high security organizations, for many companies today which rely heavily on multiple software packages and computer systems, the lack of flexibility of MAC is seen as a major disadvantage.

In contrast, role based access control systems offer the ability to pivot quickly as new  software and systems are introduced and personnel come and go. With automated RBAC systems, you can quickly add new personnel, update permissions as their role changes and deactivate access as soon as an individual leaves an organization. This automation of the process means less reliance on the judgement of one central individual and therefore less margin for human error. The visibility and audit trail these systems provide also enhances controls in these areas to address compliance needs of the organization, therefore making them hugely attractive to organizations in high regulated industries such as finance and healthcare.

How can ideiio, a Fastpath company, help with access control?

ideiio includes automated role-based access control as a fundamental component of its functionality. With ideiio, once a new employee joins, they will automatically be given access to the company data and systems that they need based on their role. ideiio can also provide more granular access at an entitlement level and can be used to manage permission levels within an application such as read-only or edit permissions.