Author Name: Aayush Khandelwal

Often, when SaaS companies launch, the users have access to all the features. However, several enterprises and customers require that users should have access to only those features which they need to perform their job. This is in line with the principle of least privilege. The principle of least privilege is an important design concept to enhance the protection of data and achieve better system stability and security. An organization can reduce the overall exposure and level of vulnerability for cyber attacks by providing just enough flexibility and permissions to users to perform the tasks required for their job. Hence, SaaS applications need to offer Role-Based Access Control (RBAC) to be enterprise-ready.

What is RBAC?

RBAC is a mechanism that restricts system access based on a person's role within the organization. There are two types of authorization to control user access:

  • Data authorization: Restrict the data on which a user can perform an operation. This data restriction can be built at various levels: teams, country, third party vendors. For example, a user may have access to every feature on the dashboard but limited to data belonging to a particular team.
  • Feature authorization: Define the features on the dashboard that a user has access to. A unique set of permissions will constitute a role. For example, a user may have access to view but cannot create a new record or update existing records.

Categorically, permissions should be classified in the following categories:

  • Read: Access to view the dashboard. It can be tricky to restrict sensitive data and specific parts of the dashboard. You need to build the product in a way that it can identify and log the details of what was viewed by a user.
  • Create: An action that creates a new record in the system.
  • Update: To edit existing records on the dashboard.
  • Delete: To delete or disable existing records.
  • Export: To export the data from the dashboard to a local system or personal drive.

Why is RBAC needed?

There are multiple users of a SaaS application in an enterprise, and they should not have the same level of access. Let's take the example of the last-mile delivery use case:

  • Enterprise personnel: There are multiple roles within the enterprise:
    1. Dispatch planner: This is usually a warehouse manager.
    2. Customer support: The team to resolve customer queries with respect to cancellations, returns, rescheduling and refunds.
    3. Admin: Someone who manages the creation of new personnel and assigning them appropriate access.
    4. Operations manager: Someone who is not involved hands-on in planning but needs to track and review the delivery performance regularly.
    5. Super user: Select users who need to have complete access to the dashboard.
  • Vendors of the enterprise: Multiple transporters are involved in the fulfillment process who may need access to the SaaS application to coordinate and carry out the operations efficiently.
  • Account managers, solutions engineering, and product team of the SaaS provider: They are involved in setting up the account, configuring the settings based on the use case, training and assisting enterprise personnel in execution wherever required.

RBAC makes it possible to systematically implement and manage a least privilege policy across a large, globally distributed organization. It is a critical requirement for any company with more than 500 employees. The various benefits of RBAC are listed below:

  • Save IT administrative time: RBAC simplifies tasks like onboarding, off-boarding users and moving people between departments.
  • Manage permissions in bulk via roles: With RBAC, you can easily grant or revoke accesses in bulk. Not only does it help while moving users across departments, but it is an important feature to have in the event of any breach.
  • Faster audit reporting: With a unified and logically implemented system, administrators have greater visibility to look for anomalies, ensure adherence to existing policies and report deviations.
  • Increase compliance: There are stringent regulatory guidelines on data privacy and confidentiality. The severity can vary across industries. With RBAC, it becomes easier to enforce and manage regulatory requirements.

Challenges and implementation of best practices

There are certain things to keep in mind while implementing RBAC. It is important to set the right base so that RBAC can be easily adopted by users and enhanced to support new use cases:

  • Avoid over-proliferation: Carry out a needs analysis exercise to determine the segments of users. It is easy to get carried away and end up creating too many roles. This will increase the maintenance overhead and introduce unnecessary complexity.
  • User experience: It is important to communicate clearly the restricted functionality to the users. If the user does not have access to perform an operation, there should be clear signifiers to highlight it and provide feedback to the user on why is it disabled
  • Flexibility and control: There may be a need to define some custom roles based on business needs. Users should be able to define custom roles, however, it should have strong oversight to avoid over-proliferation
  • Regular audit: You should track the usage of features by various users against the role assigned to them.  You also need to track the requests coming in for additional access. This will help you refine the existing roles and align them better with business objectives.

In conclusion, RBAC is a critical functionality for enterprises that deploy applications into the cloud. RBAC is a powerful boost to the security of any enterprise and it improves SaaS privacy and security systems, especially for enterprises that have many employees and work with third parties.