PART 2 : ROLE-BAC & ATTRIBUTE-BAC

In today’s digital landscape, ensuring that the right people have the right access to the right resources at the right time is critical for security and efficiency. Two predominant access control models are Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). We’ll explore how these models work in real-world scenarios and highlight their benefits and implementations. Lets understand both with examples and scenarios

---

Role-Based Access Control (RBAC) in Corporate Environment

In a typical software development company, different roles require different access levels to various resources. Let’s look at how RBAC helps manage these permissions efficiently.

ROLES USED:

1. Software Developer
2. Project Manager
3. Quality Assurance Tester
4. HR Manager
5. System Administrator

ROLE-BAC IN THE COMPANY

1. ROLE DEFINITIONS:

• Software Developer: Access to source code repositories, development environments, and project documentation.
• Project Manager: Access to project management tools, team progress reports, and client communications.
• QA Tester: Access to testing environments, bug tracking systems, and test documentation.
• HR Manager: Access to employee records, payroll systems, and recruitment tools.
• System Administrator: Access to all IT infrastructure, user management systems, and network configurations.

2. RESOURCE ACCESS:

• Source Code Repositories: Restricted to software developers and system administrators.
• Project Management Tools: Accessible by project managers, developers, and QA testers.
• Testing Environments: Accessible by QA testers and developers.
• Employee Records: Restricted to HR Managers and system administrators.
• IT Infrastructure: Accessible only by system administrators.

EXAMPLE SCENARIOS

1. Software Developer Accessing Source Code:

• Access Request: Alice, a software developer, wants to access the source code repository to commit new code.
• Role Evaluated: Alice’s role as a Software Developer.
• Decision: Access granted, because her role includes permissions to access the source code repository.

2. Project Manager Reviewing Team Progress:

• Access Request: Bob, a project manager, wants to review the progress reports of the development team.
• Role Evaluated: Bob’s role as a Project Manager.
• Decision: Access granted, because his role includes permissions to view progress reports in the project management tools.

3. HR Manager Accessing Employee Records:

• Access Request: Dave, an HR Manager, needs to update an employee’s payroll information.
• Role Evaluated: Dave’s role as an HR Manager.
• Decision: Access granted, because his role includes permissions to access and modify employee records.

4. QA Tester Configuring Network Settings:

• Access Request: Carol, a QA tester, tries to access the network configuration settings to troubleshoot a connectivity issue in the testing environment.
• Role Evaluated: Carol’s role as a QA Tester.
• Decision: Access denied, because carol’s role is centered around testing and reporting bugs. Network configuration changes are a responsibility of the system administrators to prevent accidental or unauthorized alterations to the company’s IT infrastructure.

BENEFITS OF ROLE-BAC IN THE SCENARIO

• Simplicity: Managing permissions based on roles rather than individual users simplifies the administration process.
• Scalability: As the company grows, new employees can be easily assigned to existing roles without the need to configure access permissions individually.
• Security: By restricting access to only those resources necessary for each role, the risk of unauthorised access is minimised

---

Attributes-Based Access Control (ABAC) in a Healthcare Environment

In a healthcare setting, access control must be both flexible and dynamic to accommodate the varied needs of medical staff and ensure the security of sensitive patient data. ABAC is particularly well-suited for this environment

ATTRIBUTES USED:

1. User Attributes: Role (Doctor, Nurse, Administrative Staff), department (Cardiology, Pediatrics), and clearance level.
2. Resource Attributes: Sensitivity of patient data (General, Restricted, Highly Restricted), type of medical record (Current Treatment, Historical Data).
3. Environmental Attributes: Time of day, location (on-site, remote access), and emergency status (normal, emergency).

ATTRIBUTES-BAC IN THE HOSPITAL

1. USER ATTRIBUTES:

• Doctor: High clearance, access to all patient data relevant to their department.
• Nurse: Medium clearance, access to patient data for current treatment in their department.
• Administrative Staff: Low clearance, access to non-sensitive patient information like appointment schedules.

2. RESOURCE ATTRIBUTES:

• General Data: Basic patient information accessible to most staff.
• Restricted Data: Detailed medical records accessible to healthcare providers directly involved in the patient’s care.
• Highly Restricted Data: Sensitive information (e.g., psychiatric records) accessible only to specific roles with explicit authorisation.

3. ENVIRONMENTAL ATTRIBUTES:

• Time of Day: Access policies might be stricter outside of regular working hours.
• Location: Access from within the hospital might be less restricted than remote access.
• Emergency Status: During emergencies, some access restrictions may be relaxed to provide immediate patient care

EXAMPLE SCENARIOS

1. Doctor Accessing Patient Data During Normal Hours:

• Access Request: Dr. Smith, a cardiologist, wants to access a patient’s cardiology records.
• Attributes Evaluated: Dr. Smith’s role (Doctor), department (Cardiology), high clearance level, the data’s sensitivity (Restricted), current time (3 PM), and location (on-site).
• Decision: Access granted because all attributes match the required conditions for accessing restricted patient data.

2. Nurse Accessing Patient Data During an Emergency:

• Access Request: Nurse Jane in the Pediatrics department needs access to a patient’s full medical history during an emergency.
• Attributes Evaluated: Nurse Jane’s role (Nurse), department (Pediatrics), medium clearance level, the data’s sensitivity (Highly Restricted), current time (10 PM), and emergency status (emergency).
• Decision: Access granted due to the emergency status, which temporarily elevates access permissions to ensure patient care.

3. Administrative Staff Accessing Appointment Schedules:

• Access Request: Administrative assistant Sam wants to access patient appointment schedules.
• Attributes Evaluated: Sam’s role (Administrative Staff), low clearance level, the data’s sensitivity (General), current time (11 AM), and location (on-site).
• Decision: Access granted because the requested information is general and within Sam’s access rights.

4. Administrative Staff Attempting Remote Access to Patient Data:

• Access Request: Administrative assistant Sam tries to access detailed patient data remotely from home.
• Attributes Evaluated: Sam’s role (Administrative Staff), low clearance level, the data’s sensitivity (Restricted), current time (9 PM), and location (remote access).
• Decision: Access denied because the combination of low clearance level, restricted data, and remote access does not meet the necessary conditions for granting access. Additionally, Sam’s role does not require access to detailed patient data, especially from a remote location.

BENEFITS OF ATTRIBUTES-BAC IN THE SCENARIO

• Granular Control: By considering multiple attributes, the hospital can finely tune who accesses what data, under which circumstances.
• Dynamic Adjustment: Access can adapt in real-time to changes in context, such as emergencies, ensuring flexibility without compromising security.
• Enhanced Security: Reduces the risk of unauthorized access by requiring specific conditions to be met for sensitive information.

---

CONCLUSION

RBAC in a corporate environment and ABAC in a healthcare setting demonstrate the flexibility and effectiveness of these access control models. RBAC provides a straightforward and scalable approach to managing permissions based on predefined roles, while ABAC offers granular, dynamic access control based on a comprehensive set of attributes.

Both models have their strengths and are suited to different environments and requirements. Understanding these differences and how to implement them effectively can significantly enhance an organization’s security posture and operational efficiency.