A short overview of role-based access control (RBAC) and role engineering.

1. IAM: Getting the basics right
David Doret
david.doret@me.com
https://ch.linkedin.com/in/daviddoret
https://twitter.com/daviddoret
Revisiting Role-Based Access Control (RBAC)
IDM Conference - June 2019

2. The origins

3. The Basic Conceptual Model
(Ferraiolo et al. 1999)

4. Getting the
underlying
intuition
HR
Finance
Sales
IT
Employee
Manager
Illustrations:
H Alberto Gongora and
AomAm
from the Noun Project

5. What is a role?
It is not just a
group of users
and permissions
Primarily, it has
business meaning
(…) security requirements are mostly social
requirements rather than technical solutions (…) To
understand the problem of security engineering we
need to model and analyze organizational settings, in
terms of relationships between relevant actors,
including the system-to-be. Modeling only digital
protection mechanisms is not sufficient. Indeed, several
studies have revealed how security is often
compromised by exploiting weaknesses at the interface
between procedures and policies adopted by an
organization and the system that support them (…)
(Massacci et al. 2007)
Role: a job or function “with some associated semantics
regarding the authority and responsibility conferred on
a member of the role.”
(Ravi Sandhu et al., 2000)

6. Reference: David Doret (2018), derived from Crook et al. (2002)
The role of roles

7. Role Engineering
“So role engineering is the application of engineering
principals and techniques to create a set of roles that
implements a security policy and that is organized into
a structure that reflects the nature of the enterprise or
organization. The role structure will be optimized for
effectiveness and efficiency using engineering
principles and techniques.”
(Coyne and Davis 2008)

8. (Ravi Sandhu et al., 2000), Wisegate (2012)
Polyarchy

9. “Not all our challenges are
top-down. There is a need for
an important bottom-up view
of security requirements
engineering.”
Crook et al. (2002)

10. Role
engineering
is iterative
by nature

11. Overentitlement Underentitlement
Security Risk
Business Risk
& Security Risk
References: Sinclair and Smith (2008) + O’Connor and Loomis (2010)

12. Permission Drift
“If deprovisioning does not occur, it
may not affect a user’s
productivity, but it results in the
user maintaining unnecessary or
inappropriate permissions. This
phenomenon is referred to as
permission drift and results in
‘overentitled’ users.”
Reference: Alan C. O’Connor and Ross J. Loomis (2010)

13. SoD
“(…) the allocation of work so
that an employee cannot
both perpetrate and conceal
errors or fraud in the normal
course of performing their
duties” (Stone, 2009)

14. Inspired by Singleton (2010)
The Fraud Triangle

15. Net Economic Benefit of RBAC
Reference: O’Connor and Loomis (2010)

16. Foundational Metric: RBAC Efficiency
• Easy to collect and compute
• If you don’t measure this indicator, you
don’t know if RBAC is implemented or not
• Minimum level to claim RBAC: 80%
• Should reach an optimal plateau
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
RBACEfficiency
Cost / Time / Effort
Law of diminishing returns
𝒂𝒄𝒄𝒆𝒔𝒔𝒊𝒏𝒉𝒆𝒓𝒊𝒕𝒆𝒅
𝒂𝒄𝒄𝒆𝒔𝒔 𝒕𝒐𝒕𝒂𝒍

17. There’s much more to it…
• Role explosion.
• When and how to initiate your RBAC program.
• Limitations of RBAC for PAM (Privileged Access Management).
• How RBAC may be complemented with other access control models (e.g. ABAC).
• Role hierarchies and role transitivity.
• Temporary roles (e.g. in projects).
• Temporal and dynamic roles.
• Relationship-based roles.
• Federation and cross organizational roles.
• Standards: OASIS, PERMIS, SAML, XACML, ANSI INCITS 359-2004.
• Roles delegation.
• Role ownership / role stewardship.

18. RBAC Value PropositionProducts&Services
Gain Creators
Pain Relievers Pains
CustomerJobs
Gains
Reference: Alex Osterwalder et al. (2015). Value Proposition Design - How to create products and services customers want.
Sticky notes: © Copyright Showeet.co.
Focus on the
business
Slow or
inconsistent
access
provisioning
Auditor
Auditability
Security
Employee
Transparency
HR
Speed
Unauthorized
access
Fraud
Mgmt
3rd Parties
Clients
Object
Consistency
Consistency
Accuracy

19. «If I have seen
further it is by
standing on the
sholders of
Giants.”
Isaac Newton, 1676
• Anderson (1994) Liability and computer security: Nine principles
• ANSI. (2004). ANSI INCITS 359-2004: Role Based Access Control.
• Benantar (2006). Access control systems: security, identity management and trust
models.
• Bertino and Takahashi (2011) Identity management: concepts, technologies, and
systems.
• Barker, S. (2009). The next 700 access control models or a unifying meta-model
• Brink (2015) How Managing Privileged Access Reduces the Risk of a Data breach.
• Coyne, E.J. and Davis, J.M. (2008). Role engineering for enterprise security management.
• Coyne, E., Weil, T.R. (2013). ABAC and RBAC: Scalable, Flexible, and Auditable Access
Management
• Crook et al. (2002) Security requirements engineering: when anti-requirements hit the
fan.
• Donaldson et al. (2018) Enterprise Cybersecurity Study Guide.
• Elliott, A.A. and Knight, G.S. (2010). Role Explosion: Acknowledging the Problem. , p.7.
• Ernst & Young (2013) Key considerations for your internal audit plan - Enhancing the risk
assessment and addressing emerging risks.
• Feltus, C., Petit, M. and Sloman, M. (2010). Enhancement of Business IT Alignment by
Including Responsibility Components in RBAC.
Bibliography (1/3)

20. • Ferraiolo, D.F., Barkley, J.F. and Kuhn, D.R. (1999). A role-based access control model
and reference implementation within a corporate intranet.
• Ferraiolo et al. (2007). Role-based access control. 2nd ed.
• Ferraiolo, D., Kuhn, R. and Sandhu, R. (2007). RBAC Standard Rationale: Comments on
‘A Critique of the ANSI Standard on Role-Based Access Control’.
• Gallaher et al. (2002). Planning Report 02-1: The Economic Impact of Role-Based Access
Control
• Gartner (2005) Consider Identity and Access Management as a Process, Not a
Technology.
• Gartner (2017) Best Practices for Privileged Access Management.
• Hall et al. (2005) Policies, Models, and Languages for Access Control
• Herda (1995). Non-repudiation: Constituting evidence and proof in digital cooperation.
• Giorgini, P. et al. (2006). Requirements engineering for trust management: model,
methodology, and reasoning.
• Huet (2015). Identity and Access Management - Data modeling.
• Kobelsky, K. (2013). A Conceptual Model for Segregation of Duties: Integrating Theory
and Practice for Manual and IT-based Processes. University of Michigan - Dearborn.
• Kobelsky (2014) Enhancing IT Governance With a Simplified Approach to Segregation of
Duties.
• Li, N., Bizri, Z. and Tripunitara, M.V. (2007) On Mutually-Exclusive Roles and Separation
Bibliography (2/3)
«If I have seen
further it is by
standing on the
sholders of
Giants.”
Isaac Newton, 1676

21. • Massacci et al. (2007) Computer-aided Support for Secure Tropos.
• Moses, S., Rowe, D.C. and Cunha, S.A. (2015). Addressing the Inadequacies of Role Based
Access Control (RBAC) Models for Highly Privileged Administrators: Introducing the SNAP
Principle for Mitigating Privileged Account Breaches.
• O’Connor and Loomis (2010). 2010 Economic Analysis of Role-Based Access Control - Final
Report. NIST.
• Osborn, S., Sandhu, R. and Munawer, Q. (2000). Configuring role-based access control to
enforce mandatory and discretionary access control policies.
• Osmanoglu, T.E. (2013). Identity and access management: business performance through
connected intelligence.
• Sandhu, R. et al. (1996). Role-Based Access Control Models.
• Sinclair and Smith (2008) Preventative Directions For Insider Threat Mitigation Via Access
Control
• Singleton, T.W., Singleton, A.J., (2010) Fraud Management.
• Stone, N. (2009). Simplifying Segregation of Duties​ - A targeted approach not only saves
money, but also allows auditors to focus on more high-risk areas. The IIA - Internal
Auditor.
• Wisegate (2012). Role Based Access Control: How-to Tips and Lessons Learned from IT
Peers
• Zhang, D. et al. (2014). Efficient Graph Based Approach to Large Scale Role Engineering
Bibliography (3/3)
«If I have seen
further it is by
standing on the
sholders of
Giants.”
Isaac Newton, 1676

22. Complementary slides

23. Control Depth
Business App
Report
Middleware
OS
Hypervisor
Out-of-band
Database ETL
Web Server
PAM
Security ServicesInfra Services
Physical Security
SDLC
UEFI
But it is much more rewarding to
embrace complexity and adopt a risk-
based approach
Queuing
Etc. Etc. Etc.
API
You may live a happy life
ticking boxes to scratch
the surface Report
AD LDAP Kerberos Radius
Federation Services

24. Foundational Metric: Unauthorization Detection Time
• Easy to collect and compute
• Must be complemented with: # of
uncontrolled systems
• More difficult but key enhancement:
resolution time instead of detection
time
• Auto-reconciliation is your friend
𝟑𝟔𝟓𝒚 + 𝟗𝟎𝒒 + 𝒅
𝒔
0
50
100
150
200
250
300
350
400
Averageanomalydetectiontime(indays)
Cost / Time / Effort
Law of diminishing returns

25. Ignorance-by-Design
The Need-to-Know Meme
• Not a principle, sometimes a dogma
• An excellent tool for strictly limited use cases
• Burden of proof inversion
• Inhibits collaboration, innovation
• As a general rule, we want information to flow
• What risk?
• What opportunity cost?

26. The Key is the IAM Team and its Skillset
IAM requires highly specialized skills across multiple disciplines
E.g. roles engineering
Aggressively develop the
hell out of your IAM staff!
team by Gwen Stacy, teach by Becris, win by Dev Patel from the Noun Project

27. • 50 years of academic research in
ARM/IAM/IAG/etc.
• Piles of cool books, case studies, articles
• Yet people keep on reinventing the
wheel
• Hypothesis: The NIH Syndrom
https://en.wikipedia.org/wiki/Not_invented_here
• Be lazy and stand on the shoulders of
giants
Are we in love with ignorance?