HI Marc, thanks for the explanation.
can you please share some kind of implementation guide for this? On Mon, May 16, 2016 at 3:45 AM, Marc Boorshtein < [email protected]> wrote: > > I would like to know more about RBAC. like what is RBAC and what can be > > achieved with RBAC. > > > > anyone please share some good topics about this as i am getting so many > and > > the information's mentioned on those are different. > > I can imagine. RBAC (Role Based Access Control) was created on the > idea that what systems, applications and entitlements you need should > be based on your job function. Its a way of mapping business policies > to to technical authorizations. An example would be that someone in > accounts payable shouldn't have access to the same systems as someone > from accounts receivable. So in RBAC terms you would have a "Role" > called "Accounts Payable" that might map to groups in a directory for > "access to check system" and "access to vendor system" but another > "Role" called Accounts Receivable that has access to other groups. > Then you have something to audit against "Why does someone with Role X > have groups that aren't tied to that role?". > > In practice, this rarely works. Few enterprises do that good of a job > defining the roles and responsibilities for their employees at an HR > level that trying to enforce those roles in technology is hopeless. > Also, RBAC models are very rigid and hard to change so if you need to > grant someone access to a system thats "one off" to get something done > it breaks the entire model (unless your technology can handle it). > What often happens is you get into a situation where every user could > have their own role, completely breaking the RBAC model. > > In my decade plus of identity management implementations across pretty > much every vendor and several industries I can't think of any RBAC > based models that were successful, but several that were complete > failures. I was told going into a meeting at one large customer > "Don't even mention RBAC or the meeting will be ended and we'll be > out." > > Hope that helps > > Thanks > Marc >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
