Role based access control provides additional layers of organizational security against both errors and fraud. This method must be used sensibly and planned properly to be most effective. A properly determined role based access control model can mitigate or eliminate entirely the risk of a variety of issues (Ferraiolo, Chandramouli, Ahn, & Gavrila, 2003).
The role based access control model establishes relationships between various elements of a business process (Olzak, 2011). A role is a clearly defined position with an assigned responsibility that allows a user to perform certain operations within the system. Only operations pertinent to the role are permitted.
The human resource information system at Riordan Manufacturing keeps track of employee information, including personal information, rate of pay, tax exemptions, hire and seniority dates, organizational information, and vacation hours. Though changes to this information are submitted by an employee’s manager, they can only be entered into the system by a payroll clerk. Training and development records are kept by the Development Specialist, while the Compensation Manager tracks the results of job analyses and compensation decisions. Worker’s compensation is handled by a third party vendor.
|Role||Alter employee information||Track training and development records||Track applicant information||Manage worker compensation claims||Keep individual employee records||Track complaints||Handle individual compensation decisions
|Training and Development Specialist||X|
|Worker’s Compensation Provider||X|
|Employee Relation Specialist||X|
The separation of roles serves to prevent errors, including fraud and malicious action, from coming into play. Certain tasks, such as altering an employee’s rate of pay, are split into three separate activities. The Compensation Manager determines the rate of pay, the Employee Manager submits the rate of pay, and the Payroll Clerk enters the rate of pay into the system. The tasks are mutually exclusive to prevent acts of fraud and to provide a trail for errors. For instance, if an employee receives a low paycheck after a raise, it can easily be tracked to determine what the raise was supposed to be, locate the form, and determine that the Payroll Clerk accidentally entered $40 an hour as $4 an hour. This also serves to prevent instances of favoritism where an Employee Manager may give a pet employee a significant and undeserved raise over a more suited employee. The Compensation Manager and Employee Manager are also unable to modify an employee’s record by adding additional training or manufacturing complaints to otherwise artificially justify changes to an employee’s status or rate of pay.
For determining pay information, the Recruiter, Employee Relation Specialist, and Training and Development Specialist provide pertinent information to the Compensation Manager as requested, who then gives the instruction to the Employee Manager. The Employee Manager then submits the change to the Payroll Clerk, in writing. Worker’s Compensation information can also be noted, such as a change to an employee’s availability for work.
Each role only has access to the operations vital to perform job functions. A recruiter needs to track information on applicants, but it is the Compensation Manager that approves the rate of pay, preventing a recruiter from promising an inappropriate rate of pay to a potential employee. A Compensation Manager does not get to access information on an employee’s worker’s compensation claims to prevent bias from entering any decisions. By making the tracking of employee complaints and workers compensation suits into separate roles, a need to know policy is enforced that helps prevent instances of discrimination and retaliation. This allows for all decisions to be made more objectively and based only on applicable criteria (O’Brien & Marakas, 2009).
A supervisor would inherit the permissions of his or her underlings. A payroll clerk has the ability to enter changes into the system, and the payroll supervisor has both the authority to enter changes into the system and to approve a run of payroll checks. To keep a proper separation of duties, the employee manager or operations supervisor should be the only one with the permission to print and hand out checks. This allows for three opportunities to correct errors and zero opportunities for the deliberate perpetration of fraud without multiple employees working together.
By properly utilizing the principles of need to know and least privilege in role determination, we have successfully eliminated most opportunities for discrimination, retaliation, and payroll errors in this organization. This removes a massive risk of lawsuits and fraud for the organization, resulting in an improved ability to safely do business.
Dunn, C. L., Cherrington, J. O., & Hollander, A. S. (2004). Enterprise information systems: A pattern-based approach (3rd ed.). New York, NY: McGraw-Hill.
Ferraiolo, D. F., Chandramouli, R., Ahn, G., & Gavrila, S. I. (2003). The role control center: Features and case studies. Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies, 12-20.
O’Brien, J. A., & Marakas, G. (2009). Management information systems (9th ed.). New York, NY: McGraw-Hill.
Olzak, T. (2011). Lecture, Week . Retrieved from University of Phoenix, CMGT430 – Enterprise Security website.
© 2012, Within this mind. All rights reserved.