Only the administrator should have complete access to the network while the other employees like junior network engineer need not full access to the network device. A junior-level engineer generally requires only to crosscheck the configuration of the device, not to add or delete any configuration so why should give full access to that employee? For these types of scenarios, the administrator defines access to the devices according to the roles of the user. Role-based Access Control – The concept of Role-based Access Control is to create a set of permissions and assign these permissions to a user or group. With the help of these permissions, only limited access to users can be provided therefore level of security is increased. There are different ways to perform RBAC such as creating custom privilege levels or creating views. Custom level privilege – When we take a console of the router, we enter into the user-level mode. The user-level mode has privilege level 1. By typing enable, we enter into a privileged mode where the privilege level is 15. A user with privilege level 15 can access all the commands that are at level 15 or below. By creating a custom privilege level (between 2 and 14) and assigning commands to it, the administrator can provide subset of commands to the user. Configuration – First we will add a command to our privilege level say 8 and assign a password to it.
R1(config)#privilege exec level 8 configure terminal
R1(config)#enable secret level 8 0 saurabh
Here, we have assigned the password as saurabh. Also note that 0 here means the password followed is clear text (non-hashed) . Now, we will create a local user name saurabh and associated this user with configured level. Enable aaa model and assign default list to various lines.
R1(config)#username saurabh privilege 8 secret cisco123
R1(config)#line vty 0 4
Now, whenever username Saurabh will take remote access through vty lines, he will be assigned privilege level 8. Creating views: Role-Based CLI access enables the administrator to create different views of the device for different users. Each view defines the commands that a user can access. It is similar to privilege levels. Role-based CLI provides 2 types of views:
- Root view – Root view has the same access privilege level as user who has level 15.The administrator should be in root view as view can be added, edited or deleted in root view.
Configuration – To enter into root view, we first have to enable aaa on the device and then have to set enable password or secret password which will be used when any user will enter the root view.
To enable aaa on the device and to apply secret password, command is:
R1(config)#enable secret geeksforgeeks
- Now, we will enter the root view by command:
- By typing this, we will enter into root level where we can add, delete or edit views.
- Super view – A super view consists of 2 or more CLI views. A network administrator can assign a user or group of users a superview which consists of multiple views. A super view can consists of more than one view therefore it has the access to all the commands which are being provided in other views.
Configuration – As the super view consists of more than one view therefore first we will create 2 views named, Cisco and IBM. Now, in view Cisco, we will allow all show command in exec mode and int e0/0 command on global configuration mode.
R1(config)#parser view cisco
R1(config-view)#commands exec include all show
R1(config-view)#commands configure include int e0/0
- Now, we will create IBM view in which we will allow ping and config terminal on exec mode and ip address on configuration mode.
R1(config)#parser View ibm
R1(config-view)#commands exec include ping
R1(config-view)#commands exec include config terminal
R1(config-view)#commands configure include ip address
- Now we will create a super view and name it as sup_user. We will enable a secret password superuser to the superview sup_user and add views Cisco and IBM to it therefore it has all the privilege to execute commands which are included in views Cisco and IBM only.
R1(config)#parser view sup_user superuser
Note – It is necessary to apply a password to any view before configuring it. Also, here instead of a secret password, enable password can be used but it is less secure as it is not encrypted. We can check the configuration by:
Advantages of Role-based Access Control
There are different advantages to utilizing RBAC, including:
1.Working on functional proficiency:- With RBAC, organizations can diminish the requirement for administrative work and secret word changes when they recruit new representatives or switch the jobs of existing representatives. RBAC allows associations rapidly to add and change jobs, as well as carry out them across stages, working frameworks (OSes) and applications. It likewise eliminates the potential for blunder while allocating client consents. Also, with RBAC, organizations can all the more effectively incorporate outsider clients into their organizations by giving them predefined jobs.
2.Upgrading consistence:- Each association should conform to nearby, state and government guidelines. Organizations for the most part really like to carry out RBAC frameworks to meet the administrative and legal necessities for secrecy and protection since leaders and IT offices can all the more actually oversee how the information is gotten to and utilized. This is especially significant for monetary establishments and medical organizations that oversee delicate information.
3.Giving chairmen expanded perceivability:- RBAC gives network overseers and administrators greater perceivability and oversight into the business, while likewise ensuring approved clients and visitors on the framework are just given admittance to what they need to take care of their responsibilities.
Lessening costs:- By not permitting client admittance to specific cycles and applications, organizations might ration or more expense successfully use assets, like organization data transmission, memory and capacity.
4.Diminishing gamble of breaks and information spillage:- Executing RBAC implies confining admittance to delicate data, consequently lessening the potential for information breaks or information spillage.
Disadvantages of Role-based Access Control :
- Lack of Flexibility: RBAC can be inflexible, as roles and permissions are typically assigned based on a predetermined set of rules. This can make it difficult to accommodate exceptions or unique situations where an individual needs access to resources that are outside of their assigned role.
- Complexity: Implementing RBAC can be complex, requiring significant planning and resources. Setting up roles and permissions for each user can be time-consuming and may require ongoing maintenance to ensure that access levels remain appropriate.
- Lack of Granularity: RBAC can lack granularity in terms of the level of access granted to users. This can result in situations where users have access to more resources than they need to perform their job, which can increase the risk of data breaches and other security incidents.
- Overreliance on Roles: RBAC can result in overreliance on roles, which can limit the ability to make granular access decisions based on specific user attributes, such as their level of trust or the sensitivity of the data they are accessing.
- Difficulty in Delegation: Delegating roles and permissions can be difficult, particularly in larger organizations where there are many different roles and levels of access. This can result in delays in granting access to resources, which can impact productivity and business operations.