For centuries, traditional access control methods (like the conventional lock and key) have been in-use for basic security needs. However, they have their limitations when many users and different users have access to a different set of doors. Modern-day electronic Physical Access Control System (PACS) came into existence a few decades back to make access control a lot more secure and convenient. Since then, many access rights provisioning methodologies have evolved to make it safer and administration friendly. Some of them are Role-based, Discretionary, Mandatory, and Rule-based. The most popular of these is Role-based though the modern PACS may comprise a combination of these algorithms such as IDCUBE's Access360 access control platform uses a combination of Role-based, Rule-based and Discretionary access control for handling complex user requirements for securing critical facilities. The blog explains the Role-based access control for PACS.
What is Role-based access control (RBAC)?
RBAC access control technique is policy-neutral, providing or restricting access to a user as per a predefined "Access-group" created according to their role, job competence or authority. The administrator may not have the privilege to alter these access groups. An access group is a combination of doors, time and holiday schedules to and during which a user may gain access.
Let's consider the following example: A super-administrator forms access groups called "General" and "All-access". The "General" access group includes access rights to areas such as the main entrance, canteen, lounge and operations, whereas "all-access" provides access rights to all the doors (that includes server room, VIP meeting rooms, conference rooms etc.) of a facility. The facility manager may then assign the "general' access group to regular employees, whereas assigns "all-access" to senior management.
RBAC models:
RBAC offers a much-needed upgrade to a basic discretionary access control system, where the admin assigns access permissions to a set of doors in a discrete manner. Let's have a look at the following models of RBAC, contributing to its popularity in PACS.
RBAC 1: Here, a manager assigns access rights to individuals as per the organization's Role hierarchies. The role hierarchies signify the authority and responsibility of an individual within the organization.
An individual from a senior role may have door access privileges available to a person from the junior role, but not vice versa. A person with a junior role automatically gets access-groups pertaining to the junior role. In contrast, a person with a senior role gets access groups corresponding to junior positions and access groups belonging to senior roles.
RBAC 2: This type of RBAC introduces us to the concept of constraints. According to RBAC2, a manager can impose a constraint on access privileges in an organization. He/she can use it to establish a membership to a particular access-group by limiting the number of individuals that can be mapped to that access group. E.g. an admin may assign an access-group with a membership limit of 1 to only one individual.
RBAC 3: RBAC3 is the most complex type, combining both RBAC 1 and RBAC 2. As per this model, constraints can be imposed on hierarchy levels within an organization. For example, junior roles can be constrained to be assigned with access-groups of senior roles even if the membership limit has not reached the maximum value. The complexity of RBAC 3 makes it highly effective and secure.
The implication of RBAC on PACS: Advantages and Disadvantages
Advantage: RBAC is secure and efficient, allowing an organization's administrative body to manage users' access solely based on their work responsibilities, job competence, or authority. Admin can easily switch roles and assign predefined access group(s) to a user. Thus, RBAC reduces the complexity of the system and workload of the admin. It also reduces the scope of potential errors during the assignment of access permissions, subsequently maximizes the operational efficiency.
Disadvantage: RBAC offers less flexibility when assigning access to a specific door as an exception to his or her role. In that case, a new access group must be created in the system for which a facility manager may not have requisite privilege in the system.
To conclude, it is pretty evident that even the simplest form of RBAC is a definite improvement to traditional access control methods. Its complexity allows organizations to benefit from an access control system that provides them with simplified administrative processes, enhanced security and integrity, reduced new employee downtime, and simplified regulatory compliance.
0 Comments