+254 704 052992

Role-Based Access Control (RBAC) Matrix

Overview

In this exercise, you will develop a role-based access control (RBAC) matrix for user access control. RBAC matrices, as a security architecture concept, are a way of representing access control strategies visually. They help the practitioner ensure that the access control strategy aligns with the specific access control objectives. Matrices also help show when access controls may conflict with job roles and responsibilities. When you are completing this type of task, there are a few questions you should always be thinking about:

  • Who gets to log into the system?
  • Who gets to view what?
  • What kind of data are you dealing with (basic data vs. information subject to privacy controls)?
  • Who gets to add or delete? Who is view-only?
  • Who should not have permission?

An example of an RBAC matrix can be found in Chapter 6 of your course textbook.

Scenario

You are a security analyst for a healthcare firm assigned to create an RBAC matrix for a new software-as-a-service (SaaS) application for managing patient medical files. There are six individuals who have roles within the system and need varying levels of access to the medical patient software. Your objectives are to set up the RBAC matrix to:

  • Ensure individuals have access to necessary information for their job role
  • Maintain patient privacy by adhering to the Fundamental Security Design Principle of least privilege (i.e., business need-to-know)

The following SaaS application parameters need to be determined:

  1. Access to patient information
  2. Access to employee information
  3. Access to the SaaS
  4. Access to backup logs

See the User Job Roles and Characteristics table below for information on the users, their roles in the organization, and their job descriptions.

Users Job Roles Job Characteristics
Norman Remote call-center employee
  • Has the ability to log into the medical SaaS as an employee, and has remote access to employee machines for purpose of fixing or diagnosing computer issues
  • Has the ability to create user accounts and assign passwords
  • Has no right to view patient information
  • Has the ability to view the backup logs for important system information
Ryhead Sales representative for the healthcare firm
  • Has access to the software but only for showing potential new customers
  • Has the ability to create dummy user accounts for demo purposes
  • Has no ability to modify any patient information, and can only show screens for demo purposes
  • Has no access to the backup logs
Simone HR representative for the healthcare firm
  • Has the ability to log into the system
  • Has no abilities with user accounts
  • Has access to the software and employee records but should have no access to patient information
  • Has no access to the backup logs
Janet Application administrator for the SaaS application
  • Has full access to software, has the ability to change or modify settings in the system as needed, and has the ability to provide an override code
  • Has the ability to view, create, modify, and delete user accounts
  • Has no rights to change patient information
  • Has the ability to view, modify, and delete backup logs for the SaaS
Dale Nurse
  • Has access to the system for patient information.
  • Has no abilities with user accounts.
  • Has the ability to view, create, and modify patient information, but does not have the right to delete patient information without an override code
  • Has no access to backup logs
Ethan Auditor
  • Has the ability to log into the system but can only view information
  • Has no abilities with user accounts
  • Has no ability to create, modify, or delete patient information
  • Has the ability to view backup logs

Prompt

Specifically, you must address the critical elements listed below:

  1. RBAC Matrix: Populate the RBAC matrix in the Module Four Activity Template using one or more of the necessary actions (view, create, modify, delete, none).
  2. Essential Questions: Answer the following short response questions based on your populated table in the template:
    1. What changes could be made to user roles through implementation of least privilege to better support that security design principle? (Hint: Refer to the characteristics in the scenario table above, and consider the characteristics that may be contradictory.)
    2. What is the importance of this tool to you as a security analyst in managing and protecting the environment? Provide an example.

What to Submit

Submit the completed RBAC matrix and short response questions in the Module Four Activity Template. You may also submit this activity in your own Microsoft Word document, but your submission must contain the same elements as the template. Your submission should be 12 pages in length (plus a cover page and references, if used) and written in APA format. Use double spacing, 12-point Times New Roman font, and one-inch margins. The file name should include the course code, assignment number, and your namefor example, CYB_200_Module_Four_Activity_Neo_Anderson.docx.

Module Four Activity Rubric

Criteria Proficient (100%) Needs Improvement (65%) Not Evident (0%) Value
RBAC Matrix Completes 21 or more cells of the RBAC matrix accurately Completes fewer than 21 cells of the RBAC matrix accurately Does not complete any of the RBAC matrix cells accurately 65
Least Privilege Describes changes that can be made to the user roles through implementation of least privilege that would better support the security design principle Addresses Proficient criteria, but there are gaps in clarity, logic, or detail Does not address critical element, or response is irrelevant 15
Importance of Tool Explains the importance of the tool to a security analyst in managing and protecting the environment, and provides an example Addresses Proficient criteria, but there are gaps in clarity, logic, or detail Does not address critical element, or response is irrelevant 15
Articulation of Response Submission has no major errors related to citations, grammar, spelling, or organization Submission has some errors related to citations, grammar, spelling, or organization that negatively impact readability and articulation of main ideas Submission has critical errors related to citations, grammar, spelling, or organization that prevent understanding of ideas 5
admin