The present role-based access control (RBAC) is an approach to secure and restrict the system access to a valid or authorized user in any organization. The role of each individual/user working in the organization is created and defined with respect to his functional role. The permission for the specific user to perform certain operation or access resources is based on their roles; they are not assigned permissions directly, but only acquire them through their role.
One of the prevalent RBAC approach utilizes a central role server or a directory structure such as Lightweight Directory Access Protocol (LDAP) for managing and retrieving entitlements associated with users and applications. This approach suffers from operational disadvantage that is governing the entitlements across multiple business domains in large enterprises with complex operation patterns.
A system and method for automatic generation of a role based access control model (RBAC) for an organizational environment with a role based access control system such as a hierarchical RBAC (HRBAC) is known within the art. The system teaches the method that includes accessing existing permissions granted to the users in the organizational environment and analyzing the permissions to create permission characteristics. The method further includes performing analysis on the permission characteristics to determine role perspective relationships between individual users of the organizational environment. A RBAC model is generated based on role perspective relationships determined between individual users of the organizational environment. Further the method includes generating a cladogram based on the determined role perspective relationships. However, since the focus of the system is on automated role modeling, and depends on existing permissions, the applicability of the system is limited and further in case of new implementation such permission may not exist, or not be available. Another drawback of the system is reliance on classification techniques which is not intuitive, and accuracy of such methods is a specialized task.
Many RBAC models for resource authorization are driven by resource consumption groups, members of a group are granted rights for resources consumption. The RBAC models based on resource consumption groups are not intuitive when numbers of groups grow beyond certain size, and therefore not suitable for authorization and access of business intelligence and data stored in multiple application contexts. Further they fail to address the enterprise organizational and operational perspective, where IT resource consumption is a means to achieve the organizational goals.
Presently, some systems for role management emphasize on distinction of business roles and technical roles. They define the authorization rights globally in a central server which could lead to explosion of roles types for a complex computational landscape and for larger organization. Having global authorization definitions is not applicable in situations where authorization definitions for particular applications require significant domain expertise and used in specific segments of organization. Further, roles viewed as a collection of entitlement rights is considered insufficient for supporting large enterprise structure.
In a role based access control system when user entitlements are managed by a subscription based application manager, the subscription are manifested as an account in the central identity management system. The drawback of such system is that the enterprise structure is not fully realized.
Therefore, there is a need in the art to, preserve the enterprise perspective by preserving the organizational experience, and support operation beyond individual information system in a role based access control. Further there is a need to reduce the complexities and improve the efficiency for governance of access entitlements across multiple business domains of an organization and within the application/computational scope where the access is realized.