6

According to NIST, RBAC models are the most widely used schemes among enterprises of 500 or more. What happens if the size of the enterprises are much larger in number of individuals involved. In other words, what are the main disadvantages of RBAC models?

schroeder
  • 123,438
  • 55
  • 284
  • 319
user505
  • 61
  • 1
  • 1
  • 2
  • When you get up to 500-odd people, you need most of the "big organisation" procedures, so there's not so much difference when you scale up further. – paj28 Feb 14 '17 at 18:05

3 Answers3

6

The main disadvantage of RBAC is what is most often called the 'role explosion': due to the increasing number of different (real world) roles (sometimes differences are only very minor) you need an increasing number of (RBAC) roles to properly encapsulate the permissions (a permission in RBAC is an action/operation on an object/entity). Managing all those roles can become a complex affair.

Because of the abstraction choices that form the foundation of RBAC, it is also not very well suited to manage individual rights, but this is typically deemed less of a problem.

The typically proposed alternative is ABAC (Attribute Based Access Control). ABAC has no roles, hence no role explosion. Yet, with ABAC, you get what people now call an 'attribute explosion'. The two issues are different in the details, but largely the same on a more abstract level. (A cynic might point to the market saturation for RBAC solutions and the resulting need for a 'newer' and 'better' access control solution, but that's another discussion.)

Jacco
  • 7,402
  • 4
  • 32
  • 53
  • 1
    Expanding on the role explosion (ahem)... one artifact is that roles tend not to be hierarchical so you end up with a flat structure of roles with esoteric naming like Role_Permission_Scope. As such they start becoming about the permission and not the logical role. – Steve Feb 15 '17 at 14:19
  • Hierarchical RBAC is one of the four levels or RBAC as defined in the RBAC standard set out by NIST. Most people agree, out of the four standard levels, the Hierarchical one is the most important one and nearly mandatory if for managing larger organizations. – Jacco Feb 15 '17 at 14:51
  • I should have prefaced with 'in practice', meaning in most large organizations I've worked with over the years. – Steve Feb 15 '17 at 15:17
0

There are different issues with RBAC but like Jacco says, it all boils down to role explosions.

RBAC is:

  • identity-centric i.e. it focuses on the user identity, the user role, and optionally the user group
  • typically entirely managed by the IAM team
  • admin-time: roles and permissions are assigned at administration time and live for the duration they are provisioned for.

What's not so good with RBAC?

  • it is coarse-grained. If you have a role called doctor, then you would give the doctor role a permission to "view medical record". That would give the doctor the right to view all medical records including their own. This is what leads to role explosion
  • it is static. RBAC cannot use contextual information e.g. time, user location, device type...
  • it ignores resource meta-data e.g. medical record owner.
  • it is hard to manage and maintain. Very often, administrators will keep adding roles to users but never remove them. You end up with users that dozens if not hundreds of roles and permissions
  • it cannot cater to dynamic segregation-of-duty.
  • it relies on custom code within application layers (API, apps, DB...) to implement finer-grained controls.
  • Access reviews are painful, error-prone and lengthy

Is ABAC the solution?

ABAC - Attribute-Based Access Control - is the next-generation way of handling authorization. It is driven by the likes of NIST and OASIS as well as open-source communities (Apache) and IAM vendors (Oracle, IBM, Axiomatics).

ABAC can be see as authorization that is:

  • Externalized: Access control is externalized from the business logic
  • Centralized: Access control policies are maintained centrally
  • Standardized: Access control policies use XACML, the eXtensible Access Control Markup Language, the standard defined by OASIS and implemented by most ABAC solutions
  • Flexible: ABAC can be applied to APIs, databases, and more
  • Dynamic: Access decisions are made dynamically at runtime
  • Context-based / Risk-based: ABAC can take time, location, and other contextual attributes into account when reaching decisions.

ABAC provides:

  • an architecture with the notion of a policy decision point (PDP) and policy enforcement point (PEP)
  • a policy language (XACML)
  • a request / response scheme (JSON/XACML)
David Brossard
  • 1,360
  • 7
  • 16
  • 1
    RBAC *does* include dynamic SOD (separation of duty). – Jacco Feb 15 '17 at 08:45
  • Also, the first four (Externalized, Centralized, Standardized & Flexible) characteristics you mention for ABAC are equally applicable and the fifth (Dynamic) is partially applicable to RBAC. The context-based part is what sets ABAC appart from RBAC, but this comes at the cost of severely hampering auditability. – Jacco Feb 15 '17 at 08:51
  • @Jacco RBAC does not include dynamic SoD. It is a fallacy to claim so. I know lots of papers write it but it is just not true. We have so many instances of customers failing on SoD because of dynamic SoD rules. Standardized is not applicable to RBAC. It has a model but no implementation language. Externalized is not entirely true of RBAC because it only externalize role management and role assignment but not the actual authorization logic which you still have to write in code. – David Brossard Feb 15 '17 at 13:59
  • I don't know what your definition of dynamic SoD is, but it is part of the NIST standard and many implementations support it. – Jacco Feb 15 '17 at 14:49
  • Runtime dynamic and standardized – David Brossard Feb 15 '17 at 15:14
  • I don't understand the downvotes here... – David Brossard Jan 21 '21 at 17:21
-1

Role based access control is an access control policy which is based upon defining and assigning roles to users and then granting corresponding privileges to them.

Disadvantages:

Following are the disadvantages of RBAC (Role based access model):

  1. If you want to create a complex role system for big enterprise then it will be challenging as there will be thousands of employees with very few roles which can cause role explosion.

  2. Using RBAC, some restrictions can be made to access certain actions of system but you cannot restrict access of certain data.

  3. The permissions and privileges can be assigned to user roles but not to operations and objects.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Sundus Zehra
  • 1
  • 1
    #1 is mentioned by the other answers, #2 is possible, which is why you end up with explosion, #3 is not true (objects can have roles) – schroeder Nov 03 '19 at 14:52