Library Header Image Library Header Image

Modern Role-Based Access: A Hybrid Approach to Solving Common Challenges of Scale and Complexity


Posted on by Aadithya Francis

Role-Based Access Control (RBAC) has long been a cornerstone of Identity and Access Management (IAM) strategies. In its simplest form, RBAC is built on the concept that roles are containers of access - sets of entitlements or permissions that are bundled and granted to users based on job functions. Roles simplify access reviews, streamline provisioning, and help ensure compliance. However, as organizations scale and technology environments become more dynamic, traditional RBAC implementations face growing limitations. A hybrid approach to role-based access is the need of the hour - one that addresses the challenges of scale, policy enforcement, and role maintenance while maintaining the foundational benefits of RBAC. 

The Foundation of Role-Based Access in a Typical RBAC Model

Roles act as containers of access, grouping entitlements that represent specific job responsibilities or functions. Access is reviewed and approved at the role level, enabling bulk approval processes that reduce complexity. Role maintenance can be manual (through direct entitlement additions) or semi-automated (e.g., through access mining, where users are prompted with access options based on usage patterns or peer analysis). Memberships in roles are reviewed and approved, ensuring only authorized users receive the associated access. While this model works well in theory, practical implementation often exposes gaps that can lead to inefficiencies, security risks, or non-compliance. 

Common Challenges in Traditional RBAC Models

Organizations leveraging RBAC at scale frequently encounter the following issues: 

  • Over-entitlement of users: To simplify provisioning, roles are often over-populated with access, leading to broader permissions than necessary.
  • Over-restriction: Conversely, some roles are defined too narrowly, causing both role explosion as well as requiring users to request multiple supplemental access leading to friction and increased workload for approvers and reviewers.
  • Static and outdated roles: Roles often fail to keep up with changes in business processes, applications, or organizational structures, resulting in misalignment with actual needs.
  • Segregation of Duties (SoD) conflicts: Combining multiple entitlements into roles can inadvertently create SoD conflicts, especially when roles are not regularly reviewed.
  • Dormancy and policy enforcement issues: Without dynamic controls, dormant accounts or unused access can persist, introducing risk. 
  • These limitations call for a more adaptive approach: one that retains the efficiency of RBAC but introduces flexibility and control aligned to modern business and security needs. 

Modernizing Role-Based Access Control – challenging the norms

A core assumption in traditional RBAC is that every member of a role should receive all the access defined in that role and should retain all the access until no longer a member of the role. This assumption, while convenient and widely adopted, is increasingly problematic in dynamic environments. A modern hybrid approach challenges this assumption by decoupling role membership from automatic access provisioning and introducing a layered, policy-aware mechanism for access assignment: 

  • Role-based approval, not provisioning: Being a member of a role no longer means automatic entitlement. Instead, access requests raised by a member can be auto-approved if the access is pre-approved within the user’s roles. 
  • Access requests become controlled events: Even if a user is in a role, they must request access. This allows for Segregation of Duties (SoD) policies to be evaluated at request time and granularly, preventing violations before they occur. 
  • Day 0/1 access is still achievable: Pre-approved access can be provisioned automatically for new hires based on role-driven policies in compliance with SoD policies, ensuring productivity without unnecessary risk. 
  • Attribute-based mining: Roles can be created and assigned based on user attributes (e.g., department, location, function), reducing manual effort and increasing consistency. 

Advantages of the Hybrid Role-Based Model

This modernized approach provides several key benefits: 

  • Minimized over-provisioning: Access is granted only when needed, in compliance with SoD policies, and only if approved reducing the risk of privilege creep. 
  • Improved policy enforcement: SoD, dormancy, and other access policies are enforced at the point of request, not at the point of provisioning. 
  • Dynamic controls: Access is no longer tightly bound to static roles. This allows for more responsive updates as business needs evolve. 
  • Operational flexibility: Organizations can implement both auto-provisioned and request-based access flows depending on the sensitivity and criticality of the entitlements. 
  • Independent access revocations: Unnecessary access and access that violate new policies can be revoked for individual users without the need to modify roles or role memberships.

Tradeoffs and Considerations 

While the proposed hybrid model introduces many advantages, it also requires careful consideration. First, without fully automated role fulfillment, users will need to request and obtain specific entitlements rather than simply joining a role. This can be mitigated through user-friendly request interfaces or recommendation engines potentially leveraging generative AI. Secondly, the proper management of roles remains essential, even when role grants are decoupled from provisioning. Roles must still be well-designed, regularly reviewed, and maintained, so they accurately reflect business functions and access needs. Finally, automation and integration are critical, as the model’s success depends on IAM systems that can evaluate policies in real time and support automated approvals.

RBAC remains a powerful tool in identity governance, but the current interpretation is no longer sufficient on its own to address the complexity of modern enterprises. A hybrid, policy-aware approach enables organizations to achieve the right balance between control, flexibility, and user productivity. By rethinking how access is granted and leveraging modern identity data and policy engines, large, diverse organizations can make role-based access scalable, secure, and easier to adopt and operate.

Contributors
Aadithya Francis

Senior Director, Cybersecurity IAM, Visa Inc.

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSAC™ Conference, or any other co-sponsors. RSAC Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs