Friday, September 27, 2013

Restricting and allowing access by work function

How would you organize your information resources so that only authorized individuals, both internal and external, have access to the information they need, in order to carry out their job responsibilities?

This is a situation especially well suited to role based access controls. Individuals that need access to resources can often be categorized by their set of required accesses, the set of which is their role. (Anderson, 2008) Roles can be defined as the sets of accesses that are needed by all likely groups, from both internal employees or contractors and external vendors or consultants.

By utilizing roles instead of assigning permissions individually, handling changes is easy and easily auditable. (Sandhu, 1998) If an employee moves to a different work position then they just need to have their role changed to match the new unit. One change and they have lost access they no longer require and gained all the newly required accesses. One addition allows a new vendor access to, and only to, the predetermined accesses associated with the role they are assigned.

Anderson, R. (2008). Security engineering: A guide to building dependable distributed systems. New York: Wiley.

Sandhu, R. S. (1998). Role-based access control. Advances in computers, 46, 237-286.

No comments:

Post a Comment