About role-based access control

2024-02-07Last updated

Role-based access control uses identities with various attributes to automatically manage access control. Defining provisioning policies ensures that people in your organization always have up-to-date access permission levels. If an employee changes job title, department, or moves to a different site, the system automatically adjusts their access when their identity attributes are changed.

Role-based provisioning policies can be used to automatically assign or revoke access in different situations:
  • Grant or revoke access based on employees locations.
  • Grant or revoke access based on specific roles or job titles in the organization, or who they report to.
  • Grant access to a zone only if people have specific training or certifications.
  • Grant or revoke access based on a list of custom attributes synchronized from an external source.
Note: Many other scenarios might also be possible depending on your requirements and current setup. You can also manually add, modify, or remove access at any time.

What is an identity?

In Genetec ClearID™, an identity represents a person and defines what they can do across various platforms, security systems, business systems, and functions. Each identity has one or more access control badges (credentials) and is linked to a cardholder in Synergis™. ​For example, these credentials could be a Windows user (Active Directory), an employee (Human Resources and Payroll), a sales person (CRM and Quoting Tool), and a cardholder (Physical Security).
​An identity is much more than the profile of a cardholder, it is a unique digital profile. The identity represents a person that either has an access control badge, uses the self-service portal, or both.
Note: In ClearID, a visitor or a temporary badge holder is not an identity.
  • An identity is a person who has a permanent badge assigned to them.
  • A visitor is a person who has a paper badge or a temporary badge credential assigned to them.
  • A contractor can be either an identity or a visitor. When a contractor is defined as a visitor, they receive a one-day HID card entered as a visitor in ClearID.
Access is typically permanent for employees, semi-permanent for contractors, and temporary for guests.

Identity attributes

In Genetec ClearID™, attributes are the traits or characteristics that make up an identity. Examples of attributes include department, location, role, seniority, pay grade, training certifications, and security clearance.

Role based access control relies on policies (provisioning rules) that automatically assign rights to identities (people) based on attributes (traits or characteristics).

In Genetec ClearID™, a role manager is an identity that has authority over who is assigned to a role. A role manager can add people to and remove people from a role. They are also responsible for role access review approvals.

The life cycle of an identity

In ClearID, the entire life cycle of an identity can be automatically managed.

The following diagram illustrates the life cycle of an identity when a provisioning policy is activated: