Role-based access control products have proved challenging to implement in reality and will, for most companies, need to be combined with rule-based and other more time-tested access control methods to achieve the most practical value. This was the thrust of a recent presentation by Gerry Gebel, analyst with the Burton Group, at a company conference.

User administration and access management products have evolved for 30 years in a proprietary fashion. Role-based access control products are relatively immature and have proven to be difficult to implement. Businesses need to comply with privacy and other regulatory mandates, improve enforcement of security policies while lowering overall risk, while at the same time lowering administrative costs.

Meanwhile, Web-based and other types of new applications are proliferating, and the Web services application model promises to add to the complexity by weaving separate components together over the Internet to deliver application services. Moreover, access control products built on accessing a file or a server, may be incompatible with business processes that require users to focus on practical matters such as opening accounts and paying bills.


Role-based access control products, promoted by the National Institute of Standards and Technology, are a viable alternative today. Roles are collections of permissions to use resources appropriate to a person's job function. This assumes that all permissions needed to perform a job function can be neatly encapsulated. In fact, role engineering has turned out to be a difficult task, Gebel says.

Another alternative is rule-based access control, in which access decisions are made in real time by scripted policy rules. These can either replace or complement roles. Some provisioning products, for example, have rule-based policy engines, and certain Web access management products support dynamic policies. Another alternative is to combine rule-based and role-based approaches, or go with a vendor-specific approach such as Sun's Identity Server.

The challenges of role-based access control will continue to be the contention between strong security and easier administration. For stronger security, it is better for each role to be more granular, thus to have multiple roles per user. For easier administration, it is better to have fewer roles to manage.

The creation of rules and security policies is also a complex process, so each company will need to strike the appropriate balance, Gebel says.