role-based access control

Role-based access control is a system that provides security while providing limited access to a network according to the person’s responsibilities or position in the business. The owner or administrator is normally granted full access to all hardware, software, and files with the ability to grant access or revoke different levels of access to other employees. Often, a business will have either an internal IT person responsible for granting access to new employees or work with an outside firm.

For instance, the human resource department would have access to personnel files, salary information, payroll information and records of conduct. Access to these files would likely be limited to HR and some key management employees. By password protecting the folders containing these files on the company server, their security can be safeguarded from unauthorized personnel access.

Defining Roles

When an IT tech sets up role-based access, he begins by naming the roles and then assigning access to different information to those roles. Full access is an administrative role and every other role will descend in the number of features it accesses.

Roles can be assigned to give access to a website, servers, files, equipment, security software and more and are usually limited according to the person’s job duties at the company.

Administrative access: full control over all features including the ability to create roles and add or remove new users. Depending on the type of software involved, this person may need some degree of training to ensure no data is accidentally deleted. Large businesses often have staff IT technicians who handle issues for other employees.

When access is a simple decision about password access to sensitive files, HR or other management team may oversee delegating access to other employees.

Other roles, in descending order, may be manager, editor, content creator, or user. When assigning roles, there will be a list of features to access and the business decision maker will determine who should have access to certain information. If information is sensitive, fewer people should have access. If there is a chance data could be corrupted or deleted by someone who is not trained to use it, access to that information should be limited to prevent data loss, for instance, limited to only viewing, not editing, a file.

Setting Role Access

Viewing, editing, saving, and sharing files involve varying degrees of access. If, for instance, a business wanted to share a file with an individual outside the business, he might simply share a link to view the file. If, instead, that person was collaborating with another colleague, that person could have the ability to edit the document. If someone in your organization gets a promotion and is entitled to more access, the role assigned to that person can be easily updated to grant access to features and/or files associated with that new job position.
In cases where a business works with a third-party to do work, access can be limited to certain shared folders, safeguarding any sensitive business information that should not be accessed by an outside company.
Role based actions can also include:

• Areas the individual can control
• Adding or removing new members
• Tasks performed by role
• Object access

A user may have access to more than one role. Once assigned to that role, he or she has access to all the features and objects that role is given access to. Roles can be defined to include billing, technical tasks, or administrative tasks.

Role-based access control is also helping in providing a means to meet compliance regulations regarding the privacy of personal information. By offering security and preventing unauthorized access, the business has a simple and efficient way to ensure it is following state and federal laws.