(Page 1 of 2)
As with Auditing, this section revisits a topic we covered in greater detail, earlier in this book. We will briefly revisit it now.
The National Institute of Standards and Technology (NIST) states:
With role-based access control, access decisions are based on the roles that individual users have as part of an organization. Users take on assigned roles (such as doctor, nurse, teller, and manager). The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization.
Access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role. For example, within a hospital system the role of doctor can include operations to perform diagnosis, prescribe medication, and order laboratory tests; and the role of researcher can be limited to gathering anonymous clinical information for studies.
The NIST has a draft standard with a 51 page PDF that is available to study446.
RBAC is policy-oriented, yet policy neutral. (It doesnt dictate policies you must apply.)
Examples of RBAC can be found in Microsoft's Active Directory and Novels Directory Services.
Highlights of RBAC include:
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.