Which RBAC Approach Is Better: Top-Down or Bottom-Up?

January 9, 2019
RBAC Approach

rbac approach

Role Based Access Control (RBAC) projects are generally organized in one of two RBAC approaches: top-down (start with the business roles) or bottom-up (start with the user data and technical roles) and use that information to work up to insights. But is there a “right way”? Is one approach better or more effective than the other? 

"The goal is to turn data into information, and information into insight."  ―Carly Fiorina, Former CEO of HP

Let's take a look at the top-down and bottom-up approaches to RBAC projects one at a time.

Top-Down RBAC Approach

In the top-down RBAC approach, we might start with an initial belief that a percentage of users have too much access for their role. This represents a security problem for your company. To evaluate what access users actually have, we will need some data. It’s best to start with a few representative positions and carefully follow their transactions to understand which applications are commonly used and which are not.

Key Activities:

  • DILO Study with the worker (“Day in the Life Of” the worker – watch the person work for 4 to 8 hours and log what applications they use throughout the day) to document current access levels
  • Interview managers to determine what applications are needed for that job position and identify any “extra access” that should be removed
  • Interview system owners to determine if there are any job positions that should never use a particular application
  • Identify inconsistencies/inappropriate access
  • Clean up user access so that all users in a particular job have the same access

After collecting sufficient transactional data and enriching it with data from the managers and system owners (such as information about what applications are used by location, usage policies, how exceptions are handled and so on), we can:

  1. Clean up the user access at the application level so that everyone in the same role has the same access
  2. Build a set of roles for job functions and deploy them to improve access management, enforce separation of duties and a least privileges model

Bottom-Up RBAC Approach

In this approach, you start with all of your user access data and wonder if there are any interesting relationships in it. Using a Role Mining tool to sift through various groupings, permission sets, and summary statistics, we may hit upon a compelling set of technical roles that map to business roles (i.e. job positions). It is this information that is valuable for defining technical roles and modern role mining tools are pretty good at analyzing the data and finding access patterns. The challenge is that if there is too much noise in the user access data (e.g. too many users have access that they should not have), the results of role mining may fall short of expectations.

“...If you think your data is clean, you haven’t looked at it hard enough.”  ― Eben Hewitt

How The Two RBAC Approaches Are Different, Yet Complementary

The bottom-up RBAC approach tends to be semi-automated and exploratory. It lets the data lead to a result, while the top-down method defines the business case for access and constructs business roles to manage access for each job position.

In this sense, the top-down approach is better aligned with the business; however, it can also be relatively costly to design and carry out a proper assessment. Moreover, you need to have enough information at the start of the top-down method to set up the data collection so that you don't miss any important information. On the other hand, while the bottom-up approach makes good use of the available data, it can also take you on the proverbial wild goose chase and you need to take care that you don't chase spurious results.

Ultimately, neither approach is always best. They are often complementary, with one approach leading to the other in a cyclical fashion. For example:

  • Top-down to bottom-up. After identifying the business roles and cleaning up user access by job function, we can then run the data mining tool to analyze the user permission sets to match the technical roles with the business roles.
  • Bottom-up to top-down. After the role mining tool analyzes permissions and suggests which technical roles to build, we can confirm the findings with a rigorous top-down analysis by validating with the users and business owners.

What’s the right RBAC approach for your business?

Top-down and bottom-up techniques each have their own pros and cons. Determining the best model will ultimately depend on the nature of the specific business and available resources. To make the best use of both approaches, it would be ideal to use both analytic processes in combination with one another to suit specific needs. Both the top-down and bottom-up approaches are even more effective when used together. As a business owner, you must decide how much control you want to have over the implementation of strategies to meet your most important goals.

For more information on how to develop roles, review these 3 articles:

  1. How to Successfully Introduce Role Based Access Control into a Group Environment
  2. How to Successfully Introduce Role Based Access Control into a Group Environment, Part 2
  3. How to Successfully Introduce Role Based Access Control into a Group Environment, Part 3

Follow @Idenhaus on Twitter and subscribe to our biweekly newsletter.


An IAM Assessment is a quick, expert evaluation of your environment that identifies and addresses the most common issues organizations face when implementing a solution.

This is ideal for organizations that:

  • Are struggling to get their IAM solutions deployed
  • Have a misalignment between their processes and technology
  • Have an immature IAM solution with too many workarounds
  • Companies that want to accelerate their IAM programs

Click here to learn more about the IAM Assessment.


By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us

More News