permissions are assigned to each user such as read , write , delete , or add . Only users with those permissions are allowed to perform those functions. ACLs are simple to understand and maintain, but there are several drawbacks. The primary drawback is that each information resource is managed separately, so if a security administrator wanted to add or remove a user to a large set of information resources, it would be quite difficult. And as the number of users and resources increase, ACLs become harder to maintain. This has led to an improved method of access control, called role-based access control , or RBAC. With RBAC, instead of giving specific users access rights to an information resource, users are assigned to roles and then those roles are assigned the access. This allows the administrators to manage users and roles separately, simplifying administration and, by extension, improving security. The following image shows an ACL with permissions granted to individual users. RBAC allows permissions to be assigned to roles, as shown in the middle grid, and then in the third grid each user is assigned a role. Although not modeled in the image, each user can have multiple roles such as Reader and Editor.
ccessControl Ust
Role-BasedAccessControl
RoleAssi1nmenu
/ li f.,, / I.JI ~ i / d
Jl1I
u.. , smith X . . X
Role
Role
User
~ ..,.,
Reader
smit h
Reader Reader Admin Editor
l"E7d it~,~o--+~t-+-+---,
r lee
' ' '
knauven mroberts
Admin istrat x
k""""en
X
' '
mrobens
X
manderson
mander$0fl Edit or
X
Comparison of ACL and RBAC
Sidebar: Password Security
Information Systems for Business and Beyond (2019) pg. 119
So why is using just a simple user ID and password not
Made with FlippingBook flipbook maker