Role-Based Access Control (RBAC) Explained: How it works and when to use it

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello today we'll talk about role-based access control or rbac what is role-based access control what is it good for why is it good actually for enterprises and we look into the model and we look into some of the relationships that this model is using and i'll explain a little bit how our bag works and how it can be useful for you in an organization our bag is part of something that is a little bit i would say bigger concept of identity and access management iam our back is not about identifying users or authenticating users it's about managing access managing access always starts with you have some capabilities that are in some shape or form access controlled you want to control who has access to those capabilities how do you do that it all starts with those capabilities in our bags such as and many other systems the next level then is a permission now let's look at an example one example of a capability could be to say you have a database that has order data for customers and you don't want everybody to access orders because maybe this is something that is considered private information so not everybody should be able to just look into the orders of customers so you have a permission that says this is a permission that somebody needs in order to access that capability the order data so now you have something in place how you can control access to this capability by this capability requiring that permission to be presented what's special about role-based access control now is that this permission is granted to a role meaning that there's a certain role that then has this permission which gives access to the capability so such a role could be something let's say like a customer representative a customer representative is supposed to help customers so they probably need to look into let's say the open orders of a customer and therefore this role of a customer representative then gets this permission of accessing order information and the last step then is that there are actual users who play that role and this is where you can see how well this works in large enterprises because in large enterprises you often have many people playing the same role and instead of having to individually grant permissions to all these people instead you grant the permissions to a role and then you just say all these people then play this role and vice versa if you have people leaving you just remove the role from those people let's say they are transitioning to a different role within the organization so instead of having to go to the capabilities and removing access for this user and step for all the capabilities they had access to all you do is this user is not playing this role anymore and then they don't get access anymore to all the things they had access before and this is what makes access control with rbac so nicely scalable for large organizations in order for it to work well we can also look in a little bit more detail into the relationships that should be supported by an rbac model so now we go top down so a user any let's say employee within the organization not just plays a role they can also play multiple roles in any organization you can have multiple responsibilities multiple roles and an our back model should be able to simply support that by saying any user can have one more one or more roles and this again allows you to say well this user is not playing that role anymore and then you just remove that role from that user but they're still playing the other roles and again this makes things nice and scalable the same relationship holds true between roles and permissions so let's say the role is that of a customer representative and a permission then could be something like getting access to um the order data but it also could be something like getting access let's say to the history of interactions with that customer you could see something like oh you called us last week and last week we resolved your issue and and that's another thing maybe that a customer representative should be able to do so in that case what you can see is also that a role often implies multiple permissions so this is something that also should be supported and last but not least every permission also may affect multiple capabilities so if we look at this permission of let's say getting access to order data you might also say this is not just access to order data in one system which let's say manages the current orders it may also be a permission that affects a different system that has historical data about orders or a system that has tracking data about orders and in that case that permission could affect multiple capabilities meaning that if you get that permission for your role then you now have access to all the places where you can find relevant information about order and that's it i gave you a brief overview what our back looks like let's just look at the summary of this so our back really is about enterprise level access control so this level of a role really makes it nicely scalable because multiple people can play multiple roles and you can have many people playing one role and this is really what makes it so well scalable for large organizations it is really important to think hard about how you manage roles and permissions and large organizations you will have many roles and you will have many permissions and of course you will have many capabilities so it still will be a complex thing to manage but rbac gives you a good starting point but always take a step back and think about am i using it right you can also use rbac like anything in a pretty bad way so it's always important to think about how do i do i use the role and permission model in the best possible way and the last thing i would like to point out like anything our bag is not the right way to do access management it's just a popular way of doing it there are simpler ways traditional access control lists there are more complex ways such as attribute based access control which is more powerful but also more complex and our back is somewhere in the middle of this spectrum and seems to be something that works well for many organizations today so if you are interested in our bag it's definitely good to think about does it work for me but it's also always important to think about if it doesn't work well for me maybe i should use an alternative and with that i'm done thanks a lot for listening if you're interested in the slides they're online i will link um to the slides from the description of this video if you found this video useful please consider subscribing you can find me of course in this channel you can also find me on twitter and linkedin i hope you liked it until next time all the best bye you

Info

Channel: Erik Wilde

Views: 43,056

Rating: undefined out of 5

Keywords: API, Digital Transformation, Software Architecture

Id: 4Uya_I_Oxjk

Channel Id: undefined

Length: 8min 0sec (480 seconds)

Published: Thu Oct 21 2021