6 Real-life RBAC Examples in 2024 

Network security statistics show that almost 2/3 of companies have 1,000+ high-value files accessible to each employee. Companies need to administer access controls to decrease the risk of potential breaches, however, managing hundreds of thousands of users and high-value files may be difficult.

Role-based access control (RBAC) systems, open source RBAC and microsegmentation tools can help organizations enable access to assigned employees based on their roles or responsibilities, ensuring that permissions are only issued to the appropriate user. 

This article compiles 6 real-life RBAC examples in a business process for organizations that design RBAC use cases in their environment.

6 Real-life RBAC Examples

1. Dresdner Bank

 A major European bank with 368 different job functions and 1,300 roles provided by the human resources database.

Challenge — maintaining manual employee access privileges: The bank previously did not use role-based access control (RBAC) systems and user privileges were determined using a local access control system. Each employee’s access privileges were manually handled at the application level. The increased use of internal apps led to significant administrative overheads. Maintaining several application-level privacy files for each user was inefficient and did not align with the overall security policy structure.

Solutions and outcome: The bank has changed its security system’s structure, administration, and control concepts by implementing an RBAC system into its environment. The following outcomes have been achieved by the bank:

• Specific employee and role grouping: Before implementing RBAC employees may only be classified based on their role, hierarchy, and organizational unit. With RBAC employees could be assigned group-specific access permissions based on different factors (e.g. demographics, department).
  
• Inheritance structure: The bank previously did not have any role inheritance structure. This means that the finance manager job title did not inherit ownership of other closely related job titles such as accounting specialist or bookkeeping assistant manager. 

RBAC enabled the bank to access rights inherited through a role hierarchy, enabling fine-grained access control. For example, when the finance manager needed to edit the monthly accounting notes he had to ask the accounting specialist before RBAC implementation, however, now the finance manager may access the monthly accounting notes since his job title inherits the accounting specialist role.¹

Read more: Network security policy management.

2. Interfaith Medical Center

A U.S.-based multi-site community educational healthcare organization with 50,659 employees and 1,459 branches worldwide. 

Challenge — maintaining HIPAA compliance: With the Health Insurance Portability and Accountability Act (HIPAA*) Interfaith Medical Care had to set role-based internal controls for employees to protect electronic healthcare patient data against inappropriate use and disclosure.  For example, Interfaith Medical Center administrators had to set a database configuration so that only authorized employees (such as medical coders or healthcare managers) have access to patient data. 

However, with an ever-increasing employment base, Interfaith Medical Center was challenged with generating new user accounts in Active Directory. Because the original Active Directory did not provide bulk creation and administration functions, administrators had to manually create, remove, and edit user accounts one by one, which was time-consuming.

Solutions and outcome: IT administrators at Interfaith Medical Center used bulk management capabilities to create, remove, and edit numerous Active Directory accounts to set specific user permissions in a single operation. 

• Centralized access management: Administrators ensured that all network access is through a login that is unique to the employee and not shared.

• Automated RBAC management: The company claimed that after the bulk role-based access control implementation they can confidently manage 1000+ user objects, 750+ mailboxes, and 850+ workstations with two DBAs and five help desk specialists. ²

*A federal statute that mandated the development of national standards to protect private patient health data. Unless otherwise permitted by law, patient health information may not be used or shared without consent.

3. Western Union

The Western Union Company is an American international financial services firm with 5,000+ employees headquartered in Denver, Colorado.

Challenges — operating a centralized identity warehouse: The company’s current systems did not allow them to gleam source data from numerous apps in an identity warehouse, resulting in an unclear picture of user access controls. For example, when the managers requested access remediation, they had to go through a ticketing system; however, the system did not effectively update the user profile. 

Time-consuming administration of access controls: The time spent administering access controls and reacting to regulatory changes was long.  Each new hire required access to 7-10 applications and their related permissions. The access was manually supplied, and it took ~20 minutes per person to submit the access request and receive first-level approval. 

The company expected to see who has access to which programs, services, and files, and how to assess whether that access complies with their security policy. 

Solutions and outcome: Western Union transitioned from the previous program to an identity and access management (IAM) platform with RBAC capabilities for ~750 applications.

• Enhanced network visibility with an identity warehouse: Western Union started collecting all of the necessary role-based identity data from their HR systems as a single identity warehouse, enabling them to get full insight into users’ access privileges across a centralized environment with 600+ applications.

• Robust user database management: The company claims that the role-based identity management solution streamlined its provisioning procedure for departments that routinely hire new employees.  Hence, their provisioning of 50 users now takes 2.5 minutes, down from 14 minutes.³

4. A large bank

A large bank that has a centralized site reliability engineering (SRE) team to oversee network security operations for all resources inside the firm. 

Challenges — maintaining manual access controls through Kubernetes and cloud deployment: The SRE team needed to develop a role-based administrative access to see resources for all teams in each account inside the bank, however, manually maintaining this access configuration across an increasing number of accounts was error-prone and did not comply with certain network audit controls since the given access can be changed by sub-account administrators.

Solutions and outcome: The bank leveraged templates to define role-based access controls (RBAC) for their SRE team and assigned them to the organization’s accounts

• Enhanced control with access policy templates: The bank created access policy templates for managing cloud Kubernetes and cloud service clusters for MongoDB instances in the sub-accounts. Next, they assigned the profile template to the user accounts and provided the SRE team with policy templates with the needed permissions. Finally, with the role-based profile templates the SRE access has been launched in user accounts and the sub-account administrators lost their privileges to change access controls.⁴

5. VLI

VLI provides rail-based logistics solutions in Brazil. It manages a railroad system, 100 locomotives, and over 6,000 train vehicles, with 8,000 employees and 1,000 contractors.

Challenge — complex supply chain access controls: The company declared that they have difficulties assigning access to records of goods movement and transactions.

VLI’S CISO states that they have ~9,000 employees who need to use various systems to move the trainsand we need a governed system for better timing; since employees cannot wait to have access to unload a truck. 

For example, truck drivers and train operators had to continually sign on to systems to obtain information and transactions as part of the cargo routine, which slowed the process and reduced productivity. Despite the company’s vast IT and development teams, there was no mechanism to detect or track privileged individuals who accessed VLI servers. 

Solutions and outcome: VLI mitigated to a centralized user access control platform.

• Fast user access management: VLI reached the capacity to give the right users access to the relevant resources at the right time. VLI reduced user access request response times from 5 days down to seconds.
• Secured servers: VLI secured its servers by removing the requirement for shared authorized login information. 
• Reduced the risk of malware and ransomware attacks: VLI limited the number of non-administrator users with administrative access on endpoints and set up lists of reliable and untrusted apps and instructions, thus minimizing the risk of cyber attacks.⁵

Read more: Cybersecurity risk management, most common cyber attack vectors.

6. Nine Entertainment

Nine Entertainment is Australia’s largest domestically owned media company.

Challenge:  In December 2018, Nine Entertainment merged with Fairfax Media. After the transaction, Fairfax faced issues while providing secure application access.

For example, the merger required a new multi-factor authentication (MFA)  enrollment for users, however, maintaining these custom-built solutions became a huge load on the technical staff since they failed to manage thousands of access control permissions. Furthermore, when Fairfax introduced more SaaS services, Nine Entertainment’s IT team had to connect each app with Active Directory (AD) manually. As a result, app deployment was laborious and time-consuming, frequently leaving business users waiting for access.

Solutions and outcome: Nine Entertainment created a unified directory with real-time AD sync and MFA to build standardized RBAC procedures.

• Unified access management: The company effectively uses 200+ connections to provide access to 50+ applications and multiple WordPress sites based on custom-built permissions.

• Improved authentication controls: With the software implementation, Nine Entertainment users are no longer requested for MFA; authentication occurs smoothly.  For example, with identity management and RBAC features Nine Entertainment could detect users logging in from any location, such as their home office. And, if a user needs to enroll with identity-based authentication, they are guided via a self-service, wizard-based enrollment procedure.⁶

What is RBAC?

Role-based access control (RBAC) is a security model that involves controlling user access to protect resources such as information, applications, and systems against unauthorized access, manipulation, or removel. RBAC offers access based on the needs of the user and their position based on the criteria such as:

• Access permissions (e.g. which resources can users view).  
• The scope of permitted actions (e.g. to what extent users can view, create, or change resources)
• Access session duration (e.g. how long a user can access the resources).

Figure 1: Role assignments of role-based access control

Organizations without RBAC might be challenged to perform some tasks:

• Applying the “least privilege” principle might be difficult for administrators since they can’t clearly comprehend user roles and permissions. For example, administrators might not identify the lowest degree of access of an employee required to accomplish his or her tasks.

• Onboarding requests (e.g. new hire user permissions) might require additional time and effort because access requests are submitted on a case-by-case basis utilizing specific forms.

• Controlling access of people who switch jobs, might require complex adjustment requests for access on an individual basis.
  
• Risk related to unauthorized access, which might involve misuse, causing mirrored access (resulting in Bert’s access appearing like Eva’s).

Read more: Mandatory access control (MAC).

5 Benefits of RBAC

1. Limited excessive access 

With the transition to cloud infrastructures, SaaS apps, and the simplicity of single-sign-on (SSO), individuals and groups frequently inherit roles with excessive access. RBAC helps to reduce this risk by designing groups and subgroups so that users only have access to what they need.

Example: Assume users are submitting their images to a competition for the best travel photos, and we expect only the competition judges will see those photos. The policy outlined below allows any input in the position of “travel_photo_judges” to examine the photo “travel_photo1997.jpg”.

This is accomplished via RBAC evaluation which passes group information to the evaluation engine and determines if the input indicated in the permission request is a member of the group.

2. Unique access control policies

RBAC systems can provide unique access control policies based on companies’ needs compared to mainframe access control systems (e.g. resource access control facility or RACF). With mainframe systems, an operator job can access all resources but not modify permissions, whereas a security officer can change permissions but not access resources.⁷

Example: RBAC systems administrators can also employ roles for administrative purposes by restricting network access based on an individual’s role such as “guest user with limited permissions”

3. Application level support

RBAC helps companies to have a granular access approacy by supporting permissions at the application level.

Example: RBAC can assign a set of permissions in a writing program that allows users to read, edit, and delete content. Consider “user A” can read the content on the writing application but cannot edit or delete it. Thus, when a “user A” tries to edit content, the application will not perform the request, since a requested action may only be executed on a certain item stored in the application database if its data access restriction is TRUE.

4. Flexible role allocation

RBAC models can build relationships between roles, permissions, and users. Two roles might be mutually exclusive, enabling a single user to have two roles. Roles can inherit permissions provided to other roles.

Example: When permission is set, it can be allocated numerous roles. For example, Matt may hold both the administrative and financial specialist roles, while Eva may only have the financial specialist role. 

5. Demonstrating compliance

Implementing RBAC will assist financial institutions and healthcare providers in demonstrating technical and operational standards with requirements such as HIPAA, PCI, and PHI. 

For guidance on choosing the right tool or service, check out our data-driven sources: network security policy management (NSPM) tools and incident response tools.

Further reading

• Top 10 Microsegmentation Tools
• Intrusion Prevention: How does it work? & 3 Methods
• Role-based access control (RBAC)  
• Network Segmentation: 6 Benefits & 8 Best Practices
• 80+ Network Security Statistics
• Network Security Policy Management Solutions (NSPM)
• Top 10 SDP Software Based on 4,000+ Reviews
• Top 10 Network Security Audit Tools Based on 4,000 Reviews

AIMultiple can assist your organization in finding the right vendor. 

External Links

• 1. ”The Role-Based Access Control System of a European Bank: A Case Study and Discussion”. 6th ACM Symposium on Access Control Models and Technologies, 2001. Retrieved April 30, 2024.
• 2. ”HIPAA Compliance Case Study in Healthcare domain”. ManageEngine, 2024. Retrieved April 30, 2024.
• 3. ”Identity Management Upgrade Pays for Western Union”. SailPoint, October 10, 2019. Retrieved May 2, 2024.
• 4. ”Enterprise-managed IAM: A SRE team case study”. IBM, October 24, 2023. Retrieved May 2, 2024.
• 5. ”More than Point A to Point B”. IBM, April 2021. Retrieved May 3, 2024.
• 6. ”Quickly Adopting and Enabling SaaS Applications, Even During a Major Merger”. Onelogin, 2024. Retrieved May 3, 2024.
• 7. ”An examination of federal and commercial access control policy needs. NIST-NCSC National Computer Security Conference” September 20-23 1993. Retrieved April 29, 2024.