Role-Based Access Control

Role-Based Access Control allows Osano administrators to restrict application access based on a person's role within the organization. 

It's essential to keep your systems tight. Deciding what happens with a user's data is an important decision that should be based on training on laws and regulations, as well as the promises a company has made to customers within the privacy policy. Role-Based Access Control (RBAC) allows Osano administrators to decide who has access to which data within an organization. User access takes into consideration a multitude of factors, including authority, responsibility and job function. You can also limit access to specific product features and control the user's ability to view, create or modify those features. The aim is to keep data secure and allow users to focus on relevant tasks while restricting access to functions outside their access level.

An example might be: A company has many people all in charge of specific features within it. There's a customer support team that deals specifically with data subject access requests. But you don't want that group to have access to changing aspects of your website's consent manager, vendor litigation or product analysis. Role-Based Access Control allows you to assign roles to individual users that limit that access.

Why does this matter?

Role-based access control gives customers the ability to manage which areas of a particular system their users can access at a granular level to maintain compliance with various security standards. The solution is in line with the security principle "Give the fewest amount of people the least amount of access possible to do their jobs." 

The National Institute for Standards and Technology proposed RBAC in 1992. Since then, it's become the standard for many large organizations, as well as government organizations. While the EU General Data Protection Regulation doesn't specifically mandate RBAC, it does call for organizations to "implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk."

Implementing RBAC should include a data inventory, defining roles (who should have access to what), an information-campaign for employees on the policy and regular audits to ensure it's working.