The second speaker during keynotes at the Gartner IAM conference was Bruce Schneier who is chief security technology office for BT. The title of his talk was The Intersection of Identity, Privacy and Securityand it was fascinating. One comment that really struck home was about how organizations struggle with trying to implement RBAC at an enterprise scale. His point was that most businesses were so dynamic that the roles were constantly changing and would become un-managable very quickly. I call this “role proliferation” and it is pretty common to see scalability limits reached quickly in organizations using RBAC.
Bob, what do you think is the solution giving the requirement of using RBAC?
There are several new technologies that are being used around validated attribute and policy that reduce or eliminate the need for RBAC. There are even on-going projects using these new Attribute Based Access Control systems to solve the scalability problems found in traditional the RBAC approach.