Identity types

Role

Diagram representing a glossary term in Oasis Security, illustrating key concepts in non human identity management

A role defines a set of permissions and access rights granted to users, groups, or service principals within a system or environment. Roles help enforce security policies and control access to resources based on predefined permissions, ensuring that users have the appropriate level of access to perform their tasks.

For example, in an enterprise IT environment, roles may include "Administrator," "Power User," "Developer," or "Auditor," each with different sets of permissions and privileges. Administrators assign users or groups to these roles based on their job function, responsibilities, or organizational hierarchy.

Roles typically consist of a collection of permissions or access controls that define what actions users can perform on specific resources. These permissions may include read, write, delete, execute, or manage operations, depending on the requirements of the role.

Role-based access control (RBAC) is a common approach to access management that leverages roles to control access to resources. However, in cloud environments like AWS, roles serve a slightly different purpose. AWS roles are identities meant to allow other identities to "assume" them for a limited duration using temporary credentials.

For example, in AWS, a user or machine authenticated by a certain identity provider (IDP) can gain temporary credentials to assume a role, if authorized to. While using the temporary credentials, access is limited to permissions defined by the role and relinquishes any other permissions.

Example scenario:

Role 1 can access Secret A.

Role 2 can decrypt Secret A.

In classic RBAC:

A user with both roles who calls GetSecret will get a decrypted secret.

In AWS:

A user with both roles can use Role A to call GetSecret but will fail to decrypt the secret.

If they use Role B, they won't have permissions to access the secret. So the user can't get the decrypted value of the secret.

Roles are often managed centrally within an identity and access management (IAM) system, allowing administrators to create, modify, or delete roles as needed. Best practices for role management include regular review and validation of role assignments, auditing access rights, and enforcing the principle of least privilege.