Elements of RBAC

Edit online

RBAC allows the creation of roles for system administration and the delegation of administrative tasks across a set of trusted system users. In AIX®, RBAC provides a mechanism through which the administrative functions typically reserved for the root user can be assigned to regular system users.

RBAC accomplishes this by defining job functions (roles) within an organization and assigning those roles to specific users. RBAC is essentially a framework that allows for system administration through the use of roles. Roles are typically defined with the scope of managing one or more administrative aspects of the environment. Assigning a role to a user effectively confers a set of permissions or privileges and powers to the user. For example, one management role might be to manage the filesystems, while another role might be to enable the creation of user accounts.

RBAC administration has the following advantages as compared to traditional UNIX administration:
  • System administration can be performed by multiple users without sharing account access.
  • Security isolation through granular administration since each administrator does not need to be granted more power than is required.
  • Allows for enforcing a least-privilege security model. Users and applications are only granted necessary privileges when required, thereby reducing the impact a system attacker can have.
  • Allows for implementing and enforcing company-wide security policies consistently in regard to system management and access control.
  • A role definition can be created once and then assigned to users or removed as needed when users change job functions.
The RBAC framework is centered on the following three core concepts:
  • Authorizations
  • Roles
  • Privileges

Together, these concepts allow an RBAC system to enforce the least-privilege principle.