Role-based security, more technically role-based access control (RBAC), is a vital part of modern security systems. It can be particularly useful for field service technicians. Those who may face physical security risks (such as lost or stolen devices) more often.
What is RBAC?
RBAC reduces the amount of damage that can be done when a user’s access is compromised. It does so by assigning permissions to specific roles within the company.
The intent is that employees can only access the files and data they actually need for their job. The more complicated way to do this is to manually assign permissions to each individual user. But this rapidly becomes unwieldy and hard to manage.
Instead, users are assigned to a group. This will automatically give them access to the software that tells them where jobs are but not, for example, to the personal details of other employees. A supervisor would get further access to the review and update the job details.
Benefits of Role-Based Security
So, what are the overall benefits of role-based security? Here are some of the most relevant for field technicians:
- Set permissions quickly, with no need to go through each individual worker.
- Audit user privileges and quickly correct any issues. This includes responding quickly when an employee tells you they can’t access what they need.
- Quickly add, remove, and change roles.
- Reduce the risk of adding user permissions incorrectly. There is the risk of error every time you have to enter permissions.
- Comply with regulatory privacy requirements and better protect the privacy of your customers and employees.
- Make the access lists make sense. Assign them in a way that maps to job duties. It’s easier to see why people have the permissions they have.
- Reduces employee downtime when employees are onboarded, promoted, or transferred. Employees should spend less time waiting for “IT to set them up.”
- Reduce the risk of data breaches.
How Role-Based Security Benefits Field Service Technicians
The last point is particularly important for field service technicians. With the best will in the world… and training… the risk of a field technician leaving their phone at a client’s house is higher than that of somebody in the office. Role-based security, in conjunction with remote wipe capability and other anti-theft techniques, reduces the risk of a data breach caused by an incident in the field. Ideally, anyone who picks up a field technician’s phone will get only their checklists, that day’s schedule, and other basic information. They would have to work very hard to get past that. And by the time they did so, IT can have the phone wiped.
Also particularly relevant is protecting customer privacy. Your technicians don’t need access to the entire customer database at all times, but only to the addresses that they are going to that day. RBAC allows for relational permissions. Your software can be set to give that access. Field technicians are not allowed to access your primary customer relationship management software beyond what their role requires. This would mean they can get the addresses they need, get the details of the job, sign the job off as done, and move on without needing to leaf through customers to find the relevant ones.
How to Do Role-Based Security Right
Firstly, all access must be through roles. All users must have an active role (this also makes locking down the access of an employee who is leaving a lot easier; you just remove their roles) and all transactions other than logging in have to have a role assigned to them.
Consider these best practices:
- Establish your needs before you start. This means doing an audit of who actually uses what, so as to make sure you assign the right permissions.
- Define roles carefully. Some roles may be a no-brainer, but you need to look at your entire hierarchy. Roles need to make sense. Aligning roles with your business roles supports all of your business processes and can be cross-linked to other things. This includes onboarding systems that make sure people get the right safety training materials.
- Consider testing the application with a small, sensitive area, such as employee data first.
- Let senior employees test the system before deploying. Have them tell you whether they can access everything they need and whether anything is wonky. Doing a staged rollout starting with people you trust helps.
- Write a policy that ensures that employees know how the system is supposed to work and lets them know how things will change.
- Pay attention to feedback and keep adapting.
- Develop systems to assign roles smoothly when an employee is hired. And to remove them quickly if somebody is transferred or separated. IT needs to know exactly what role(s) to assign to each new user.
- Use the right software that allows for your company size and type. Note that RBAC allows for the use of hierarchical roles. Make sure that the “web” of roles makes sense for what you are doing.
The most important thing is that the roles you set need to map to what your employees actually do. Somebody who looks at the system should be able to see which role goes to which employee without having to dig into it. Implement it clearly and take feedback from your people.
If you are looking into improving your security and are thinking of setting up a role-based access control system, especially after seeing the very real benefits, contact Gruntify today. Our specialist applications for fieldwork of all types include RBAC systems designed to fit your specific needs.