One of the more exciting aspects of authenticated networks is that once you do it, role-based access control becomes possible. Today–as I’ve said before–authentication for wireless, VPN, and dial-up connections has the principle goal of proving that you should be treated like you were in the building. Wired access typically has no authentication. However, if you authenticate your wired access as well, now every access method is authenticated and the game changes. With the user’s identity validated at every point of access, now we can ask what the user should be allowed to do.
At this point vendors and customers can get overly excited and start talking about dozens of roles based on the different areas of the organization. The problem is many larger organizations have no idea what specific authorizations each role needs. Instead of jumping to the end game, organizations should instead look to a smaller number of roles. A good place to start is simply to differentiate between a guest, a contractor, and a permanent user. Guests typically need access only to the Internet. Contractor’s needs vary widely but generally need access to a subset of internal resources. Locking down contractors will still require some homework for a network IT staff but it is a far more tractable problem than figuring out all employee entitlements. Lastly the permanent user role gets access to everything, as normal.
From these meager beginnings, you can begin to extend your role-based access control. The next logical step for many organizations is a “privileged” role which could be granted to finance, HR, and executive staff which grants access to the servers which house very sensitive data. It is important to remember that even with just three roles though, you’ve significantly extended the functionality the network provides over what it did before authenticated networks.