RBAC – a.k.a. Role Based Access Control – offers control of access based on the role of a consumer. It’s probably one of the most common authorization methodologies employed today, but isn’t always the easiest thing to get right!
What is Role Based Access Control?
Role Based Access Control – more commonly known as RBAC – is a widely used access control method that provides for restriction based on the Role assigned to a user. An RBAC model is typically utilized as a general purpose mechanism for defining the permissions required to enable access authorization.
What is a Role?
In the context of RBAC, a Role describes something that a user is part of – such as the Role a user is assigned as part of the organization they work for. In other words, RBAC refers to the assigning of permission(s) based on the more manageable idea of a Role – which may have more than one user as a member – rather than the frequently error prone approach of assigning permission(s) to users individually.
How can Roles be ascribed?
The NIST Model for Role-Based Access Control: Towards a Unified Standard, essentially defines four levels of ascription, organized in sequence of increasing functional capabilities: Flat RBAC – where users are assigned to one or more roles and, by virtue, acquire the permission(s) belonging each; Hierarchical RBAC – which adds the dimension of role hierarchies; Constrained RBAC – which further adds the notion of enforcement by separation of duty; and Symmetric RBAC – which adds a requirement for the periodic review of role permission and user role assignment.
What is Role Explosion?
Role Explosion happens when the level of granularity needed for access control is too detailed; essentially, where multiple Roles need to be modelled in order to satisfy fine-grained access requirements. It’s one of the most common problems associated with RBAC, and – together with the complexities often encountered when translating enterprise organizational structures into an RBAC model – is considered to be one of the main drawbacks of using the RBAC approach.
How can Role Explosion be managed?
Arguably, Role Explosion is best managed by ascertaining the suitability of using an RBAC model in the first instance. Of course, that’s not always possible to do, and a seemingly simple set of access control requirements can easily get more complex over time. Having the ability to easily leverage an alternative model – such as ReBAC – either wholly or in part and without needing to make massive changes to your code, can offer an effective solution to the problem.
Build it yourself?
You could build support in-house, yourself. That’s true. Click on the image to read more about doing just that, and watch my related webinar recording here. If your team has the resources, time, capacity, knowledge, and expertise in developing SSO; deploying Attack Protection; leveraging OIDC and/or SAML for Authentication, Social and/or Enterprise Federation; implementing Passwordless and/or MFA, and/or (optionally) OAuth 2.0 for API Authorization – then it’s definitely an option. But what if there was a better way?
Role Based Access Control…
With Auth0, utilize a pre-built comprehensive mechanism for creating RBAC policies that can be leveraged in the applications and APIs you provide. Enabled by Auth0 Universal Login, easily define Roles and Permissions, whilst leveraging additional features for user authentication like SSO, Social, Enterprise Federation and MFA.
…straight out of the box
Whether you’re building for B2C, B2B, or some combination, Auth0 RBAC gives you complete control out-of-the-box. And via the Authentication API, you can build workflows for solutions that tackle the more complex use case scenarios – all whilst leveraging the full power of the platform at the same time.
Adapt with MFA
Employ Adaptive MFA to add additional authentication factor(s), using intelligent MFA that dynamically fits to customer behaviors. All whilst satisfying your business needs.
Flat Claims and Attributes
Add Flat RBAC permissions as custom Claims to the JWT format tokens used as part of Auth0’s support for OIDC and OAuth 2.0. Or as custom Attributes when using Auth0 SAML assertions.
Integrate with ease
With a variety of out-of-box options provided by a wide range of SDKs, you can build an initial integration with Auth0, written in any programming language and supporting any technology stack, in a matter of hours. Click on the image to visit the Auth0 SDK website and discover how to integrate with ease.
Read more about it on the Auth0 Blog
Read the Auth0 Blog, and follow the example provided to learn more about integrating Auth0 RBAC in your Ruby API.
Stay informed
Helpful Identity & Access Management articles that are timely and relevant, whatever your level of experience. Whether you prefer to learn by reading, listening, watching videos, cloning repos, copying code, or attending a workshop or conference: content is everywhere and made for developers like you. Click on the image to subscribe to the newsletter today!
Begin the journey…
Sign up here, and create a free Auth0 Tenant to begin your journey. Play with prototyping an integration of your existing code – or develop something new; experience the Okta Customer Identity Cloud, powered by Auth0, in a way that best suits you.
…or try a Demo.
If you’re looking for some inspiration, why not take a look at some of the pre-build demos at demo.okta.com – where you can test-drive sample integrations for both the Okta Customer Identity Cloud and the Okta Workforce Identity Cloud too!
