Role Based Access Control

Flexible roles instead of rigid rules


The usual rule and purchase order based Identity Management is replaced increasingly by the role based IDM (RBAC Schema). This means that administrators no longer have to write new, highly complex rules for every use case, such as changing project assignments. Rather, in role-based IDM the organizational plan is used at whose organizational elements the individual authorizations are arranged as business roles. The IDM system processes all branches of the organizational tree and collects the roles with the assigned rights. This creates a bundle of technical and business roles.


If user John Doe is assigned the roles “Member of Purchasing Department” and “Team Leader” and “…”, he receives all rights assigned to these roles via automated provisioning. At the same time, the system checks the combination of rights and prevents unwanted combinations so that, for example, a customer may never release his own order (segregation of duties).


The mapping of the organization in the RBAC system is, however, time-consuming. The advantage of the no longer necessary rigid IDM rules and regulations only comes to bear when a certain number of specialist roles have been assigned. It often makes sense to start with a rule-based Identity Management and to later extend it to a role-based IDM.

Benefits of RBAC

  • A large number of (technical) individual authorizations can be grouped into business roles.
  • Since only a few business roles are used instead of a huge catalog of individual authorizations, the complexity of assigning authorizations is reduced.
  • Business roles are given descriptive names and are intelligible. There are fewer requests to the Helpdesk.
  • Administrative effort is reduced because fewer rules and regulations have to be maintained and adapted in the IDM.
  • Individual authorizations are often complex and wrong orders are placed. The simplicity of business roles eliminates this.
  • The central administration of all authorizations, security policies and user roles in an IDM system (not given by every IDM manufacturer) simplifies the administration.
  • The simple application of understandable business roles results in fewer queries to IT, reducing costs.

Obstacles of RBAC

  • Many people ignore the business department and then wonder why the new procedure is not accepted.
  • Bottom-up models or pure role mining based on existing authorizations in the applications only leads to technical roles and neglects the business / organizational aspect.
  • Most people underestimate the requirements that the definition and application of technical and business roles places on a project employee. Many also take the handling of IT ordering processes that use the business role lightly. Unfortunately, internal IT employees are all too often overtaxed – with fatal consequences.
  • It is easy to overlook the fact that overlaps between operational and project organization (e.g. authorizations resulting from project membership) must be regulated.
  • Temporary role assignments (e.g. data access for department changes) are needed but often forgotten to be set up.