Page 26 - StudyBook.pdf
P. 26

10     Chapter 1 • General Security Concepts: Access Control, Authentication, and Auditing

                 However, although the concept of RBAC is similar, it is not the exact same
             structure.With the use of groups, a general level of access based on a user or
             machine object grouping is created for the convenience of the administrator.
             However, when the group model is used, it does not allow for the true level of
             access that should be defined, and the entire membership of the group gets the
             same access.This can lead to unnecessary access being granted to some members of
             the group.
                 RBAC allows for a more granular and defined access level, without the gener-
             ality that exists within the group environment.A role definition is developed and
             defined for each job in an organization, and access controls are based on that role.
             This allows for centralization of the access control function, with individuals or
             processes being classified into a role that is then allowed access to the network and
             to defined resources.This type of access control requires more development and
             cost, but is superior to MAC in that it is flexible and able to be redefined more
             easily. RBAC can also be used to grant or deny access to a particular router or to
             File Transfer Protocol (FTP) or Telnet.
                 RBAC is easier to understand using an example.Assume that there is a user at a
             company whose role within the company requires access to specific shared
             resources on the network. Using groups, the user would be added to an existing
             group which has access to the resource and access would be granted. RBAC on the
             other hand would have you define the role of the user and then allow that specific
             role access to whatever resources are required. If the user gets a promotion and
             changes roles, changing their security permissions is as simple as assigning them to
             their new role. If they leave the company and are replaced, assigning the appro-
             priate role to the new employee grants them access to exactly what they need to
             do their job without trying to determine all of the appropriate groups that would
             be necessary without RBAC.
                 In summary, RBAC is:

                  ■   Job Based The role is based on the functions performed by the user

                  ■   Highly Configurable Roles can be created and assigned as needed or as
                      job functions change

                  ■   More Flexible Than MAC MAC is based off of very specific informa-
                      tion, whereas RBAC is based off of a user’s role in the company, which
                      can vary greatly.








          www.syngress.com
   21   22   23   24   25   26   27   28   29   30   31