Role Based Access Control (RBAC) is the process of restricting all users’ access to a specific set of entitlements, across a pre-defined set of applications, as agreed by various business/technical owners. So, all users within a company are applied to a specific RBAC profile, which is suitable for their role and doesn’t include any excessive authority/access.

RBAC is the most advanced form of IT Security Access Control and easily the best practice to follow, however it is very difficult to achieve full RBAC within a company, due to all the complexities of getting it setup.

Once full RBAC is setup, all of the company’s main Access Control processes are far more efficient, such as: Joiners, Leavers, Movers (JLM), as you can easily identify a user’s access, as per their RBAC profile. RBAC is very flexible and gives companies a much better view of their access control model.

I have worked in companies and on project where full RBAC has been achieved and this has led to some of the tightest and most efficient IT Security controls, from both a business and audit perspective.

The setup of RBAC is a big task and can be approached in various ways, however it all depends on the size of your company including the number of identity’s (users) and applications there are.

My experiences within their area have allowed me to develop some key skills and business processes that can be used to help any organisation achieve a full RBAC setup.