In this exercise, you will develop a role-based access control (RBAC) matrix for user access control. RBAC matrices, as a security architecture concept, are a way of representing access control strategies visually. They help the practitioner ensure that the access control strategy aligns with the specific access control objectives. Matrices also help show when access controls may conflict with job roles and responsibilities. When you are completing this type of task, there are a few questions you should always be thinking about:
You are a security analyst for a healthcare firm assigned to create an RBAC matrix for a new software-as-a-service (SaaS) application for managing patient medical files. There are six individuals who have roles within the system and need varying levels of access to the medical patient software. Your objectives are to set up the RBAC matrix to:
The following SaaS application parameters need to be determined:
See the User Job Roles and Characteristics table below for information on the users, their roles in the organization, and their job descriptions.
Has no right to view patient information
Has the ability to view the backup logs for important system information
RyheadSales representative for the healthcare firm
Has access to the software but only for showing potential new customers
Has the ability to create dummy user accounts for demo purposes
Has no ability to modify any patient information, and can only show screens for demo purposes
Has no access to the backup logs
SimoneHR representative for the healthcare firm
Has the ability to log into the system
Has no abilities with user accounts
Has access to the software and employee records but should have no access to patient information
Has no access to the backup logs
JanetApplication administrator for the SaaS application
Has full access to software, has the ability to change or modify settings in the system as needed, and has the ability to provide an override code
Has the ability to view, create, modify, and delete user accounts
Has no rights to change patient information
Has the ability to view, create, and modify patient information, but does not have the right to delete patient information without an override code
Has no access to backup logs
EthanAuditor
Has the ability to log into the system but can only view information
Has no abilities with user accounts
Has no ability to create, modify, or delete patient information
Has the ability to view backup logs
Essential Questions: Answer the following short response questions based on your populated table in the template:What changes could be made to user roles through implementation of least privilege to better support that security design principle? (Hint: Refer to the characteristics in the scenario table above, and consider the characteristics that may be contradictory.)What is the importance of this tool to you as a security analyst in managing and protecting the environment? Provide an example.
