On reading the white paper “Beyond Roles: A Practical Approach to Enterprise User Provisioning”, I was interested to read about the potential problems and overhead of Role Based Access (RBA) in certain systems. RBA works well in Single Systems where the number of roles is manageable and the number of combinations of user rights tends to be small. It also works well in systems where a large number of users have the exact same privilege requirements, e.g. bank tellers, flight attendants etc.
Request-Based User Administration strategy
Scaleability of roles and privileges becomes very tedious, time consuming and expensive for larger companies when using RBA, this is because of the large number of role definitions and slight variances between roles requiring multiple role definitions with only slight differences. The maintenance of these roles also requires a lot of time and effort on a continuous basis.
A possible solution to this is by empowering both managers to grant permissions to people working for them, and users to request permissions they need from their managers. This solution is scaleable but has some problems, namely users accumulating privileges, slow approval of requests and unreliable access termination. To solve the accumulation and termination of privilege problems, regular audits would need to be carried out by managers on their staff members.
Reference: http://www.idsynch.com/docs/beyond-roles.html
