Access Entitlement: A Graph Based RBAC Implementation
Updated: Apr 21, 2020
Contributors: Seyed Hossein Ahmadinejad, Hadi Ahmadi, Derek Small
Granting or denying access to protected resources and assets is of increasing concern for organizations. The implementation of business continuance plans as a result of shelter in place or work from home pandemic orders is elevating the importance of access management systems. Securing who has access to protected resources can be achieved by definition of fine-grained entitlements for protected resources and then the granting of entitlements to the people, processes or things that need access to the protected resources.
Building and maintaining an access entitlement system is significantly onerous in large organizations when many protected resources and many users requesting access to them exist. Role Based Access Control (RBAC) has been proposed to address the challenge of aggregating fine-grained entitlements into coarse-grained roles using #graph algorithms.
Grouping or aggregating entitlements to define roles has remained an open problem. Nulli recently delivered a solution that harnessed the power of the Neo4j™ graph database to facilitate the use of RBAC. Role Engineering using a graph database, like #Neo4j, provided Nulli with a successful outcome to the challenge of efficiently aggregating entitlements into roles. The Nulli team approached the problem from a perspective that focused on the relationships between users, protected resources, and entitlements. Relationships are critical to the successful definition of aggregated roles and graph databases excel at surfacing and mapping relationships.
Recent advances in graph storage solutions and in particular Neo4j, have allowed us to propose the idea of designing and implementing role engineering methods against RBAC states modelled in graph. The white paper attached in this post provides a succinct explanation of the implemented approach.
Give our paper a read and let us know if we can provide you with more information on how to utilize the power of graphs in a well-structured RBAC system for secure access management.