Achieving Single Sign-On as a by-product of RBAC implementation
Identity Management and Roles Based Access Control
Achieving Single Sign-On as a by-product of RBAC implementation
I am currently working on the design of a tightly integrated, highly consolidated strategic Identity Management project. One of the key parts of this project is the concept of Roles Based Access Control and consolidated Access Management.
By removing hierarchy and inheritance from the equation, I am making use of the concept of a ‘meta-identity’, an over-arching view of a single person’s identity within the scope of the Identity Management system as a whole. This identity is made up of information gathered from a number of other systems – human resources systems, applications systems- and settings and roles recorded in the central Access Management system.
Whilst Identity Management is seen as the type of project being undertaken, it is the Access Management systems that are the true heart of the system. These systems are responsible for ensuring that Roles based Access Controls are implemented. This is achieved by examining the set of individual roles that have been assigned to an existing, live identity, and provisioning the relevant access rights to each system within scope.
These rights are defined as a series of discrete Roles, with each Role defining access to a single system or resource. These low level Roles are then grouped into logical constructs, and applied against each user account specifically.
As an example, if we define a Role Group such as this:
| Role | Role Type | |||
| General Access to Car parks | Grouping | |||
| » | Open Barrier on Car park 1 | Access Right | ||
| » | Between Monday and Friday | Constraint | ||
| » | Between 8am and 5pm | Constraint | ||
| » | Once per hour | Constraint | ||
| » | Open Barrier on Car park 2 | Access Right | ||
| » | Between Monday and Friday | Constraint | ||
| » | Between 8am and 5pm | Constraint | ||
| » | Once per hour | Constraint | ||
Then when we apply this Role to an individual account, we are actually applying each of the ‘Access Right’ settings to the user account, rather than the higher level Grouping.
This allows us to apply general access Roles, then remove those specific Roles we want to at a later date. This does also mean that if we change a Grouping, we have to re-apply all groups to all accounts, however the primary aim of this system is to limit the number of Groups created, and to focus instead on properly defining, managing and creating the base resource access Roles.
What these base Roles allow us to do, in association with our Provisioning Server, is to convert a basic Role to a set of system-specific access rights, which are then set on that target system. By ensuring that each target system has an appropriate set of user access rights pre-set based on that user’s Roles, when we combine with the Access Management system, acting as an authorisation proxy, the user will be automatically granted access to the target system.
When a user attempts to access a web-enabled service, the first thing that happens is the Access Management service checks to see if they have already authenticated with the base Identity Management system, and if they have, the Access Manager simply passes control direct to the target system.
And the major side effect of implementing this type of Identity Management system is that we also implement an effective Single Sign-On system as well.
Technorati Tags: Digital Identity, Identity, Single Sign On, SSO, RBAC, Roles Based Access Control
