I am currently planning a RBAC implementation and in particular want to start designing my approach to engage with the business to gather requirements. I was planning on using SP 800-171 Rev. 2, Protecting CUI in Nonfederal Systems and Organizations | CSRC (nist.gov) but would be interested in any community views on driving strong engagement from the business, promoting understanding and ownership and what templates or best practices might be available to capture the data. Questions that occurr: 1. I can imagine that the natural tendency would be to align roles to current organisation and people: HR Manager/HR User etc. However, I wonder if there can be any more innovative approaches with using a core: Standard User + Standard Manager + HR Overlay type approaches
2. Has anyone any experience with setting up central Active Directory groups representing roles and using that to inherit access to multiple appliations. So HR Manager gets you HR privs in Dynamics, and Power BI etc.
Can anyone point me at any alternative perspectives or taxonomies that could help us explore other options? All observations welcome! Thanks!
Gerald
brought to you by enabling practitioners & organizations to achieve their goals using: