RBAC vs ABAC - Which is More Effective For You?
Written November 16, 2022
One of the most fundamental security requirements for an organization is to ensure that access to corporate resources is safe, available, and only made accessible to only those who are permitted. Trusted Computer Standard (TCSEC) was a foundational security framework, introduced in 1983 for use by the United States Department of Defence, that engineered and rationalized controls to manage access to classified documents. The TCSEC introduced two types of access control categories: discretionary access controls (DAC) and mandatory access controls (MAC). Since the TCSEC's inception, DAC criteria have been regarded as technically valid for commercial and civilian government security demands, as well as single-level military systems, while MAC is utilized for multi-level secure military systems, although it is rarely employed in other applications. As security systems and technologies evolved, TCSEC was succeeded by Common Criteria as an international standard, which introduced derivatives of MAC and DAC, known as role-based access control (RBAC), and attribute-based access control (ABAC). Applications were required to adopt these concepts within their authorization models and have been commonplace due to their ease-of-use.
RBAC and ABAC's involvement in IAM
Identity and access management (IAM) is a set of processes and technologies, which makes it possible for the right people to access the right resources at the right times. Controlling access to resources has become critical to organizational adoption of Zero Trust security models in efforts to mitigate operational and security risks in increasingly complex technology ecosystems.
Organizations often find themselves adopting role-based access controls as a common approach to safeguarding resources, due to it’s ease of use, and flexibility to enforce knowledge-based assignment criteria based on common job functions for a subject. In contrast, attribute-based access controls are more common in industry-specific applications such as healthcare, or technology-specific applications like network-based access, where control determinations are based on contextual information about both the subject and object, for example who the user is, the resources they are attempting to access, their location, and time of day.
RBAC and ABAC Defined
The fundamental concept underlying RBAC is that permissions to one or many resources are linked to certain roles, and users are assigned those roles according to their needs. Through this model, administration of underlying permissions is simplified, as resource control decisions can be made based on job functions, and new applications (including underlying permissions) used enable additional job functions can simply be added to roles without having to modify underlying user permissions directly. Similarly, applications and permissions can be removed from roles whenever they are no longer required.
The most common benefits of RBAC are realized in user lifecycle management simplification, as it simplifies on-boarding and off-boarding processes, as well as aids with automation of access administration or assignment.
Attribute-based access control determinations are not only isolated to job functions and business rules, but also subject and object attributes, and seldom require resource owner approvals to enforce a control decision. Metadata that inform these control decisions are commonly broken down as follows:
- Subject Attributes: includes items such as name, position, employer, identification card number, and access level.
- Environment Attributes: includes items such as access time, data location and current threat levels within the organization.
- Object Attributes: includes items such as owner of the resource, file name, creation date and data sensitivity level.
Compared to RBAC, ABAC allows for a significantly wider range of parameters, and avoids the need for explicit authorizations to be directly assigned to subjects prior to a request to perform an operation on the object. For instance, ABAC can restrict HR personnel from permanently viewing employee and payroll data, limiting their access to only particular times of day or locations where the individual in issue works.
Implementation Considerations
As most applications already have well-defined role-based authorization models, abstraction of these roles into an enterprise repository requires input from resource owners to capture business rules that inform assignment decisions. Most enterprise IAM solutions also offer mechanisms to consolidate application roles into broader functional roles that grant common access to suites of applications, as well as capabilities to enforce control decisions through approval workflows.
By comparison, ABAC requires high-quality metadata about subjects and resources, granular business rules, as well as technology capabilities to capture and enforce access control decisions. ABAC does offer a higher degree of flexibility, as well as fine-grained control for decision intelligence that can be automated for all subjects within the organization.
One common drawback of RBAC is role explosion, where poorly defined role definition and management processes can lead to creation of more roles than persons in the organization to accommodate job exceptions, increasing the complexity and administration required to maintain roles.
With ABAC, challenges are commonly encountered identifying sources of high-quality data to assist with user and environment context, as well as with efforts to customize IAM technologies to provide decision and enforcement of these access control decisions.
In practical implementations, today’s IAM solutions offer a hybrid attribute and role-based control capability that can provide additional subject context from authoritative sources of people data to aid with control decisions or automate role-based access assignment.
Want to Learn More?
Identity and Access Management (IAM) is KeyData's most important service. We know how to help organizations use RBAC and ABAC in the best way. We put all our energy into IAM. Our people and our knowledge are what give us an edge at KeyData. Our team is made up of highly skilled engineers and consultants who focus on RBAC and ABAC implementation, Privileged Access Management, Customer Identity, Access Management, and Cloud Security Posture Management. Our team has a strong track record of providing end-to-end IAM services, from gathering requirements and making roadmaps to full implementation, training, and managed support. Don't hesitate to get in touch with us right away for a free initial consultation.
References:
https://www.okta.com/identity-101/role-based-access-control-vs-attribute-based-access-control/
