Pau Lo
asked on
role based access in AD
The organisation I work for (I work in risk not IT) is moving to a role based access control model for assigning permissions to users on our numerous file servers.
At present file server access is locked down via groups, i.e.:
\\fileserver\department\te amXYZ - would only be accessible via a domain group called “teamXYZ” (and IT support groups)
I must confess I don’t really see what is wrong with this approach? Or how it is bad practice? (feel free to explain - I am not a fan of changing something that isnt broke and works well).
But apparently we are going down the RBAC model, I wasn’t sure if AD actually has “roles”, I can see users and groups in ADUC, but can’t say I have ever seen a “role” object in AD?
But that aside, how is RBAC more secure than group based permissions, and from a risk perspective, are there any specific risks associated with RBAC, and compensating controls/best practices to mitigate the new risks associated with using RBAC models.
At present file server access is locked down via groups, i.e.:
\\fileserver\department\te
I must confess I don’t really see what is wrong with this approach? Or how it is bad practice? (feel free to explain - I am not a fan of changing something that isnt broke and works well).
But apparently we are going down the RBAC model, I wasn’t sure if AD actually has “roles”, I can see users and groups in ADUC, but can’t say I have ever seen a “role” object in AD?
But that aside, how is RBAC more secure than group based permissions, and from a risk perspective, are there any specific risks associated with RBAC, and compensating controls/best practices to mitigate the new risks associated with using RBAC models.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Completely agree with John, it can be a fantastic thing if done correctly!
ASKER
Thank you.
So there is no such object as a role in AD, its essentially a group? I wasnt sure if there was an actual AD object called a role?
So there is no such object as a role in AD, its essentially a group? I wasnt sure if there was an actual AD object called a role?
No, there is no actual object that is a role - you just use a group and call it a role
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.