Need to Know: Implementing Role-Based Access Controls

Posted by Tim Pritchett on 12/9/2019

Managing an ever-increasing volume of data in any organization can be challenging. Navigating privacy laws like FERPA, HIPAA, and COPPA while delivering the necessary services for students is a full-time undertaking. As organizations have grown and their databases and scope of data has grown, managing access to that data is a critical task. In large school corporations organizations must establish policies or practices for determining the depth and length of data access.

A Role-Based Access Control (RBAC) model is a tested solution to the issues presented with data access management. At a minimum, RBAC provides an architecture for a “need to know” data management policy. Additionally, this model provides a school corporation a justification for why people have access to the data they use at work and a defense if access is denied. The model involves thoughtful decisions about Users or User Groups, their Role, and the Rights to Assets that those users or groups need to effectively do their jobs.

Users and User Groups

In an organization of 2,000 employees or even 200, making individual decisions for every user for every piece of data or job function is far from a sustainable practice. Identifying organizational units, typically buildings or departments, is the first step to segregating your data and ultimately separating data access. Those organizational units within Microsoft Active Directory or Google Admin Console, for example, allow you to crosswalk those data lines to any other system like your SIS.

Roles

Image Source: https://www.dnsstuff.com/rbac-vs-abac-access-control  Once your users are grouped into a manageable number of organizational units, you can begin defining roles that span those units. Administrator, Teacher, Support Staff, Administrative Assistant, etc. are common roles in school corporation. An individual user based on their employee type is assigned a role and one or more organizational units upon account creation or position change. You may find roles that span all entities in your school system for some users or roles that are confined to a single building.

Rights and Assets

Now that you have answered the “Who?” you can move on to the “What?” Whether it is access to shared files in a Team Drive or Sharepoint site, the ability to modify a master schedule in the SIS, or membership in an email distribution list, your RBAC model defines what rights and what assets a user can access. As you modify and edit the rights for a role, keep in mind that you will no longer give individual employees access to specific information or assets, but make decisions based on the job function of that role. Changes impact all members of that role.

Getting Started

  • Identify or review the number and scope of your user groups
  • Assemble a team of key stakeholders including individuals outside of your technology department to review job functions and necessary access levels
  • Schedule phased implementation

 

Related Links:

National Institute of Standards and Technology - Implementing Role-Based Access Control

Establishing role-based access control in the workplace, CIO Weekly, 1.24.18


Tim Pritchett is the Director of Technology at Monroe County Community School Corporation in Bloomington, Indiana. Tim holds a technical degree in Cybersecurity and Information Assurance in addition to CompTIA Security+ certification.