Page 1025 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1025

FIGURE 14.2 Role Based Access Control


               This helps enforce the principle of least privilege by preventing
               privilege creep. Privilege creep is the tendency for users to accrue
               privileges over time as their roles and access needs change. Ideally,
               administrators revoke user privileges when users change jobs within
               an organization. However, when privileges are assigned to users
               directly, it is challenging to identify and revoke all of a user’s unneeded

               privileges.

               Administrators can easily revoke unneeded privileges by simply
               removing the user’s account from a group. As soon as an administrator
               removes a user from a group, the user no longer has the privileges
               assigned to the group. As an example, if a loan officer moves to
               another department, administrators can simply remove the loan

               officer’s account from the Loan Officers group. This immediately
               removes all the Loan Officers group privileges from the user’s account.

               Administrators identify roles (and groups) by job descriptions or work
               functions. In many cases, this follows the organization’s hierarchy
               documented in an organizational chart. Users who occupy
               management positions will have greater access to resources than users
               in a temporary job.

               RBAC are useful in dynamic environments with frequent personnel

               changes because administrators can easily grant multiple permissions
               simply by adding a new user into the appropriate role. It’s worth
               noting that users can belong to multiple roles or groups. For example,
               using the same bank scenario, managers might belong to the
               Managers role, the Loan Officers role, and the Tellers role. This allows
               managers access all of the same resources that their employees can

               access.

               Microsoft operating systems implement RBAC with the use of groups.
               Some groups, such as the local Administrators group, are predefined.
               However, administrators can create additional groups to match the job
               functions or roles used in an organization.




                          A distinguishing point about the RBAC model is that
   1020   1021   1022   1023   1024   1025   1026   1027   1028   1029   1030