The organisation I work for (I work in risk not IT) is moving to a role based access control model for assigning permissions to users on our numerous file servers.
At present file server access is locked down via groups, i.e.:
\\fileserver\department\teamXYZ - would only be accessible via a domain group called “teamXYZ” (and IT support groups)
I must confess I don’t really see what is wrong with this approach? Or how it is bad practice? (feel free to explain - I am not a fan of changing something that isnt broke and works well).
But apparently we are going down the RBAC model, I wasn’t sure if AD actually has “roles”, I can see users and groups in ADUC, but can’t say I have ever seen a “role” object in AD?
But that aside, how is RBAC more secure than group based permissions, and from a risk perspective, are there any specific risks associated with RBAC, and compensating controls/best practices to mitigate the new risks associated with using RBAC models.