RBAC For More

Organizations that face significant regulatory scrutiny — or have large numbers of disparate systems containing highly sensitive data — are most likely to have, or at least to need, Roles-Based Access Controls (RBAC). These organizations are usually trying to accomplish two ends by having both transparency to and limitations on users’ access profiles.

The first is separation of duties, ensuring that critical processes (often those affecting financial statements) are not subject to fraud. For example, an accounts manager who can modify a customer’s account information and approve and release refund payments can direct those payments to their own account. The refund process needs to be broken down into discrete steps for which distinct employees are responsible. Those controls are much more easily enforced when each staff member is assigned a role granting privileges to only the limited steps for which they are responsible. Since many organizations do an abysmal job with ongoing access reviews, individual entitlements for staff in sensitive departments is a certain prescription for audit findings or regulatory breakdowns.

The other control RBAC provides is when an organization wants to restrict what data each associate can access. For example, the various investment teams at a financial services firm where I formerly worked jealously guarded their respective research, investment decisions, portfolio weighting and trading activities. The segregation was further compounded by strong demarcation between equity, fixed income, high income and institutional groups. So roles were a business enabler that allowed these groups to compete

Post a Comment

Your email is never published nor shared. Required fields are marked *