User's access to resources of a computer system needs to be controlled for security needs of an organization. The control of these accesses is performed by using access rights that define whether and how a user may access the resources. A security system, which is integrated in or added to the operating system of the computer system, performs this access control.
In traditional security systems, a system administrator (hereinafter interchangeably referred to ‘root user’ or ‘super user’) grants or revokes access rights explicitly for individual users or a group of users on respective resources. However, as the number of users increases, and as their access rights are updated from time to time, the access rights in such security systems become increasingly inconvenient to manage. Further, due to the varied and evolving nature of work done by various users on the computer system, it is often difficult to confine ‘super user’ rights to a small restricted set of users. On the other hand, widespread allocation of ‘super user’ rights may compromise the security of the computer system. Additionally, in many organizations, the data stored on the computer system and resources may be confidential and access to such data should desirably be granted on a need only basis. However, system administrators with ‘super user’ rights will have access to such data and resources, irrespective of whether they really need to have this access for their work. This may compromise the confidentiality of the organization's data and resources.
In order to achieve a higher grade of data security and integrity in a computer system, a Role-Based Access Control (RBAC) approach has been developed. The RBAC approach has three main elements: authorizations, roles, and privileges. An authorization is analogous to access rights; it provides a mechanism to grant rights to perform certain actions on the computer system and thereby provides different levels of functionality to different classes of users. A role is a set of management functions unique to a particular class of users of the computer system; multiple authorizations may be assigned to a role in order to allow users under that role to perform the requisite management functions. Privileges are part of the RBAC infrastructure that provides fine granular control of system functions. A user usually acquires privileges based on authorizations granted to their role. In other words, regular users are allowed access to various system functions when they have relevant privileges. Privileges are typically mapped to bit masks and are used in the kernel space to achieve privileged function specific security controls with ease. In practice, a role acts as a definition of a job at the lowest level of granularity used in the enterprise or organization. Roles are similar to the regular user identities except that roles are authorized to perform some privileged tasks. Regular users who are assigned to some roles can perform super user function based on the privileges granted by switching into that role. For example, one role might be to manage file systems, while another role might be to enable creation of user accounts. In the RBAC system, the system administrator only has to grant or revoke authorizations to a role, and group different users of the computer system under each role based on need. The users under a role automatically get the authorizations granted to that role. A super user has more authorizations and privileges than a user. The super user rights are thus divided into granular tasks and assigned to various users based on the authorizations they need for their job or role. For example, a user with the role to manage the file systems will not have authorization for creating the user accounts, and vice-versa, but a super user may have access to both. In this manner, RBAC enables separation of duties among users who have less authorizations and privileges than the traditional super user. The RBAC approach follows the principle of providing “least privilege access” to users, wherein a user has only the least authorizations required to perform his/her role. The RBAC approach has many advantages over traditional security systems such as ease of management, ease of assigning roles to the users (as per their functions in the organization) etc.
However, in many cases there may be situations when a user to whom a role was assigned is not available and that role needs to be assigned to a backup user with some modifications in authorizations of this existing role. The present technique is to create a new role with all required authorizations for the backup user. Management of roles in this manner, particularly for systems that have a large number of users with dynamic role definitions, is a cumbersome process.
In accordance with the foregoing, there is a need in the art of a process, an apparatus, and a program product, for providing improved management of roles in the RBAC system.