title: 1.5 - How to implement ANSI RBAC navPrev: 1.4-why-rbac-is-important.html navPrevText: 1.4 - Why is ANSI RBAC Important? navUp: 1-intro-rbac.html navUpText: 1 - An Introduction to Role-Based Access Control ANSI INCITS 359-2004 navNext: 1.6-go-for-more.html navNextText: 1.6 - Where to go for more info

1.5 - How to implement ANSI RBAC

  • Learn using the SPEC

  • Pick a technology stack you are comfortable with based on current knowledge, SLAs, data storage, and support requirements.

  • Design a very simple RBAC data model. Eight objects are all that is needed.

    • User, Role, Permission, Object, Operation, User-Role, Session, Constraints

  • Design a simple RBAC software model.

    • Top layer called a Manager and contains a stable public API that external apps may call.
      • Three managers, System, Admin, Review are all that is needed.
      • The implementation the manager interface contains must be able to be be swapped out for another complete RBAC system without impacting dependent apps.
      • External applications use RBAC Manager API to map to internal entitlement systems.
    • Middle layer for RBAC system is optional and may be used for processing fine-grained data validations rules
    • Bottom layer for accessing the actual data.
      • Implementation may be swapped for other back ends without impacting Manager.
      • LDAP, JDBC, Hibernate, JAX-WS, JAX-RS other technologies may be used here to manage the data

  • Don't ignore the Audit

    • View before and after images of the data

  • Code first as a POC. Start with the core - RBAC0. Get it right first.

  • Test driven development and automation key contributors to successful outcome.

    • Engage IT teams.
      • Analyze existing IT entitlements.
      • Use established role mining techniques.

  • Map existing IT entitlements to RBAC system using established role engineering techniques

  • Use parent roles as Business Roles and child roles as IT Roles.

  • Deploy RBAC system into application environment using established standards. Use declarative policy enforcement points like JEE security for coarse-grained, Spring for fine-grained.

  • Application teams own mapping between Business and IT roles.

  • Model administrative controls on ARBAC. More on ARBAC coming soon...

  • Roll-out (Slow and steady starting out)