Avatar of Pau Lo
Pau Lo asked on

role based access in AD

The organisation I work for (I work in risk not IT) is moving to a role based access control model for assigning permissions to users on our numerous file servers.

At present file server access is locked down via groups, i.e.:

\\fileserver\department\teamXYZ - would only be accessible via a domain group called “teamXYZ” (and IT support groups)

I must confess I don’t really see what is wrong with this approach? Or how it is bad practice? (feel free to explain - I am not a fan of changing something that isnt broke and works well).

But apparently we are going down the RBAC model, I wasn’t sure if AD actually has “roles”, I can see users and groups in ADUC, but can’t say I have ever seen a “role” object in AD?
But that aside, how is RBAC more secure than group based permissions, and from a risk perspective, are there any specific risks associated with RBAC, and compensating controls/best practices to mitigate the new risks associated with using RBAC models.
SecurityOS SecurityActive Directory

Avatar of undefined
Last Comment
Rich Rumble

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Marcus Capps

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
JohnKillilea

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Marcus Capps

Completely agree with John, it can be a fantastic thing if done correctly!
ASKER
Pau Lo

Thank you.

So there is no such object as a role in AD, its essentially a group? I wasnt sure if there was an actual AD object called a role?
JohnKillilea

No, there is no actual object that is a role - you just use a group and call it a role
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.