Information Systems for Business and Beyond (2019)

permissions are assigned to each user such as read , write , delete , or add . Only users with those permissions are allowed to perform those functions. ACLs are simple to understand and maintain, but there are several drawbacks. The primary drawback is that each information resource is managed separately, so if a security administrator wanted to add or remove a user to a large set of information resources, it would be quite difficult. And as the number of users and resources increase, ACLs become harder to maintain. This has led to an improved method of access control, called role-based access control , or RBAC. With RBAC, instead of giving specific users access rights to an information resource, users are assigned to roles and then those roles are assigned the access. This allows the administrators to manage users and roles separately, simplifying administration and, by extension, improving security. The following image shows an ACL with permissions granted to individual users. RBAC allows permissions to be assigned to roles, as shown in the middle grid, and then in the third grid each user is assigned a role. Although not modeled in the image, each user can have multiple roles such as Reader and Editor.

ccessControl Ust



/ li f.,, / I.JI ~ i / d


u.. , smith X . . X




~ ..,.,


smit h

Reader Reader Admin Editor

l"E7d it~,~o--+~t-+-+---,

r lee

' ' '

knauven mroberts

Admin istrat x



' '




mander$0fl Edit or


Comparison of ACL and RBAC

Sidebar: Password Security

Information Systems for Business and Beyond (2019) pg. 119

So why is using just a simple user ID and password not

Made with FlippingBook flipbook maker