Ever wonder why someone was somewhere they weren’t supposed to be? Access control is how organizations can govern access over their IT resources, such as parts of your CI/CD pipeline, including related environments, stages, and workflows. This blog post will discuss how to implement and use role-based access control, a popular governance capability for better software delivery.
What Is Role-Based Access Control?
Role-based access control is control over user groups and access to resources based on a defined role.
According to the National Institute of Science and Technology (NIST), “rudimentary forms of role-based access control were implemented in a variety of ad hoc forms on many systems beginning in the 1970s.” However, a formal model wasn’t proposed until 1992. Ferrailo and Kuhn published a paper that proposed an alternative to the traditional models of Mandatory Access Control (MAC) and Discretionary Access Control (DAC). RBAC defined three basic requirements for access control:
- Role Assignment: subjects are assigned roles and only allowed transactions if allowed by the defined user-role.
- Role Authorization: subjects only use roles for which they are authorized.
- Transaction Authorization: subjects only execute transactions authorized by that subject’s role memberships.
As described above, the main feature of RBAC is accessed through roles. A role is a collection of permissions. This allows organizations to grant appropriate permissions to employees or guests, and ensure privileges and permissions keep to a role hierarchy.
RBAC differs from access control lists (ACL) as it provides security at an organization or enterprise level. In contrast, ACL is better suited for implementing security at the individual user level and for low-level data. RBAC also differs from attribute-based access control (ABAC), which is another form of access control that uses a different approach.
Why Should DevOps Teams Care About RBAC?
As mentioned with RBAC systems, businesses can protect their data and key business processes through company-set rules and roles. Additionally, RBAC gives administrators increased visibility across various cloud tooling and IT systems. For DevOps teams, in particular, this is important as many teams exist and require varying amounts of control over specific workloads or groups of resources.
Benefits of RBAC
Here are some benefits to RBAC:
- Security: RBAC improves overall security as it relates to compliance, confidentiality, privacy, and access management to resources and other sensitive data and systems.
- Selective access: RBAC systems can support users having multiple roles at the same with specific permissions for each role.
- Security as a function of organizational structure: allows organizations to impose hierarchies for assigning permissions based on the seniority or topology of organizations.
- Separation of duties (SoD): is the concept that no one person has sole control over a task. SoD benefits organizations as cyber-attacks on a single account won’t cause significant harm to systems.
- Flexibility: IT organizations can review and adjust permissions associated with each role periodically.
Role-Based Access Control Best Practices
Here are some RBAC tips and practices:
- Understand your organization and business needs: Before implementing RBAC, complete an analysis of the different job functions, business processes, and technologies that would benefit from access control. In addition, assess the current security posture of the organization.
- Define the roles: Once you’ve analyzed and understood how individuals across the organization perform their tasks, assign the appropriate access rights and permissions as part of the role design process. Also, consider defining default roles of individual users coming into the organization and consider the principle of least privilege when assigning roles and granting user permissions.
- Iterative adjustments and regular review: Prioritize a core group of users when implementing RBAC to avoid business process disruptions. This also allows security teams to change roles previously defined. Collecting feedback and monitoring your implementation is also a great way to ensure proper governance across an organization.
Use Cases for RBAC
How is RBAC used in practice in different situations? Let’s take a look at modern software businesses using CI/CD and DevOps.
RBAC in Continuous Integration and Continuous Delivery
RBAC, as it pertains to CI/CD pipeline definitions, development, and other resources, is all about defining the roles and actions on these resources. RBAC can be helpful in ensuring a separation of duties. Not everyone needs access to the CI/CD pipelines that deploy into a live production environment. It’s often that many developers aren’t granted access beyond development or non-production environments.
RBAC in DevOps
As it pertains to DevOps, it’s important to consider how RBAC and governance can encourage developers to focus on their core responsibilities. Delivering better software faster is about focusing on outcomes rather than outputs and having teams work together to make decisions and take ownership of their processes.
How Harness Uses RBAC in Practice
With the Harness platform, it’s fairly simple to get started with implementing RBAC on your defined CI/CD resources. Every user is authenticated via their User Group and Role Assignment. Define User Groups at an Account, Org, or Project scope to assign different role assignments which can provide permissions for various actions including:
- Create, Edit, Execute, View pipelines
- Create, Edit, Delete, Access secrets
- View, Access environments
- And much more as shown in the diagram above.
Take the Next Step in Security & Governance
IT organizations can benefit from governance to avoid hacks, mistakes, and even accidents. This blog post shares the role of RBAC in governance – and its complexities – and how you can use it to improve your software delivery practices. If you’d like to learn more about applying governance to CI/CD, I recommend downloading and reading this eBook.
Harness provides RBAC along with various other enterprise-ready governance features. You can try these governance features for free at harness.io.