In this exercise, you will develop a role-based access control (RBAC) matrix for user access control. RBAC matrices, as a security architecture concept, are a way of representing access control strategies visually. They help the practitioner ensure that the access control strategy aligns with the specific access control objectives. Matrices also help show when access controls may conflict with job roles and responsibilities. When you are completing this type of task, there are a few questions you should always be thinking about:
Who gets to log into the system?
Who gets to view what?
What kind of data are you dealing with (basic data vs. information subject to privacy controls)?
Who gets to add or delete? Who is view-only?
Who should not have permission?
An example of an RBAC matrix can be found in Chapter 6 of your course textbook.
Scenario
You are a security analyst for a healthcare firm assigned to create an RBAC matrix for a new software-as-a-service (SaaS) application for managing patient medical files. There are six individuals who have roles within the system and need varying levels of access to the medical patient software. Your objectives are to set up the RBAC matrix to:
Ensure individuals have access to necessary information for their job role
Maintain patient privacy by adhering to the Fundamental Security Design Principle of least privilege (i.e., business need-to-know)
The following SaaS application parameters need to be determined:
Access to patient information
Access to employee information
Access to the SaaS
Access to backup logs
See the User Job Roles and Characteristics table below for information on the users, their roles in the organization, and their job descriptions.
Users Job Roles Job Characteristics
Norman Remote call-center employee
Has the ability to log into the medical SaaS as an employee, and has remote access to employee machines for purpose of fixing or diagnosing computer issues
Has the ability to create user accounts and assign passwords
Has no right to view patient information
Has the ability to view the backup logs for important system information
Ryhead Sales representative for the healthcare firm
Has access to the software but only for showing potential new customers
Has the ability to create dummy user accounts for demo purposes
Has no ability to modify any patient information, and can only show screens for demo purposes
Has no access to the backup logs
Simone HR representative for the healthcare firm
Has the ability to log into the system
Has no abilities with user accounts
Has access to the software and employee records but should have no access to patient information
Has no access to the backup logs
Janet Application administrator for the SaaS application
Has full access to software, has the ability to change or modify settings in the system as needed, and has the ability to provide an override code
Has the ability to view, create, modify, and delete user accounts
Has no rights to change patient information
Has the ability to view, modify, and delete backup logs for the SaaS
Dale Nurse
Has access to the system for patient information.
Has no abilities with user accounts.
Has the ability to view, create, and modify patient information, but does not have the right to delete patient information without an override code
Has no access to backup logs
Ethan Auditor
Has the ability to log into the system but can only view information
Has no abilities with user accounts
Has no ability to create, modify, or delete patient information
Has the ability to view backup logs
Prompt
Specifically, you must address the critical elements listed below:
RBAC Matrix: Populate the RBAC matrix in the Module Four Activity Template using one or more of the necessary actions (view, create, modify, delete, none).
Essential Questions: Answer the following short response questions based on your populated table in the template:
What changes could be made to user roles through implementation of least privilege to better support that security design principle? (Hint: Refer to the characteristics in the scenario table above, and consider the characteristics that may be contradictory.)
What is the importance of this tool to you as a security analyst in managing and protecting the environment? Provide an example.
Last Completed Projects
| topic title | academic level | Writer | delivered |
|---|