Anonymous_User Absent Member.
Absent Member.
401 views

rbac best practices


I would like to know what are the best practices to implement a RBAC
model.
For this simple example, I have an IT Team who have two access.
- A Unix account on a host RES1
- An access to an application RES2.

Scenario1
I create 2 resources RES1 and RES2 and 3 roles.
ROL10 associated to RES1
ROL11 associated to RES2
ROL20 named "Member of IT Team" is the role parent of ROL10 and
ROL11.

In this scenario, it is possible to assign a user to RES1 via ROL10 , a
user to RES2 via ROL11 , a user to both resources via ROL20
The main inconvenient of this model is the number of roles if the model
is appied to all teams in the company.

Scenario2

I create 2 resources RES1 and RES2 and 1 role.
ROL20 named "Member of IT Team" associated to RES1 and RES2

Advantage
Less roles than scenario 1.

Inconvenient;
To assign a user to only the RES1, the only way it to assign user to
resource.
"In RBAC theory, a user must always be assign via a role not directly to
a permission (resource)".
However, In this scenario, the admin of the resource must be able to
create a requestassocationrole from any existing roles to this
resource.


What is the best way to implement a role model ? is there any other
possibilities ?
A role must represent a population (a team for example "member of team
B" ) or a job function ( IT Developer) or a ressource ( USer of
application A) ?


Thanks in advance


--
acany
------------------------------------------------------------------------
acany's Profile: https://forums.netiq.com/member.php?userid=453
View this thread: https://forums.netiq.com/showthread.php?t=50525

Labels (1)
0 Likes
1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: rbac best practices

acany,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your issue been resolved? If not, you might try one of the following options:

- Visit http://www.netiq.com/support and search the knowledgebase and/or check all
the other support options available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.netiq.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.netiq.com/faq.php

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your NetIQ Forums Team
http://forums.netiq.com


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.