Physical access privilege assignments are generally simpler than IT permissions. For example, where an accounts payable department may have many sets of information access requirements, most of the Accounts Payable personnel will have common physical access requirements. The roles used stay the same. Thus, it is simpler work establishing RBAC for physical security than for IT security; it uses a subset of the roles that IT security uses.
Here are three ways to implement RBAC for Physical Access:
Procedural – the use of documented manual procedures to establish RBAC, as depicted in Figure4.
Directory-driven – the same as the Procedural approach except that the PACS obtains roles directly from the Role Catalog through an LDAP or other interface.
System-based – the physical access control system enforces RBAC, with or without a directory interface, as described in the section that follows.
According to security practitioners who have implemented RBAC, about 75 or 80 percent of the requirements are covered with role-based privilege assignment, and the remainder is covered by individual privilege assignments. A physical security example of the individual privilege assignment is the card or electronic key for a manager’s own office door. Only the manager has access to her office door, except perhaps for emergency and cleaner access privileges. So while the majority of personnel have cubicles and or desks in common areas, office door management may be an individual privilege assignment per cardholder for a subset of personnel. This in no way lessens the value of the simplification RBAC provides in access management. The “one-off” and “individual assignment” cases are reduced by up to 80%. The confusion factor is practically eliminated and audit reviews are definitely streamlined.
System-Based RBAC for Physical Access
RedCloud Security’s Express and Enterprise appliances (www.RedCloudSecurity.com), demonstrated at ISC West, provide RBAC management in conformance with relevant portions of the ANSI/INCITS standard.
Figure 5 shows the creation of the Physician Role, which inherits the access privileges of the Resident role. (Creation can be automatic by import from the corporate directory’s Role Catalog), or manual if the system is a standalone (non-integrated) system.
Audit-Proof Physical Access
“Audit-proof physical access” requires a physical access control management process that is clearly defined, is easily managed, and by which access privileges are assigned and updated in a timely manner according to job positions, responsibilities and duties. If you don’t have that now, consider using RBAC to help you create that state for physical access management.
Write to Ray about this column at ConvergenceQA@go-rbcs.com. Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788. Mr. Bernard is also a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).