Identity management systems are usually made up of three main elements at the highest level: users, systems/applications, and policies. Policies describe how users communicate with various frameworks and software.
Most Identity and Access Management (IAM) solutions offer various methods for enforcing organizational resource access control policies, using multiple terms to define these methods. However, it is essentially possible to map all types of access control back to one of the four traditional models: Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-based Access Control (RBAC), and Attribute-based Access Control (ABAC).
What is Role-Based Access Control?
RBAC regulates access based on the roles users have within the system and on rules that define what users are able to access in those roles. Usually, under IAM, a role is approximately equal to a group in the directory system. It is simply a logical grouping of one or more users with some common affiliations, such as the same department, grade, age, physical location, or type of user.
About Attribute-Based Access Control
On the basis of three different attribute types, attribute-based access control (ABAC) can control access: user attributes, attributes associated with the application or device to be accessed, and current environmental conditions.
Not only is ABAC the most versatile and efficient of the four models for access control, but it is also the most complex. ABAC allows fine-grained access control at its heart, which allows for more feedback variables in a decision on access control. Any accessible attribute in the directory can be used to define the correct filter for controlling access to a resource by itself or in combination with another one.
RBAC vs. ABAC: Which One to Choose?
Now that the key distinctions between role-based and attribute-based access are better understood, we can discuss best practices about what to use and when. Although RBAC and ABAC can be very complex topics, here are four basic principles that you can relate to not only when you begin implementing your IAM but as your organization and needs change on an ongoing basis:
1: RBAC Is For Broader Access Control and ABAC Is For Finer Access Control
Use RBAC when you can make access control decisions with big strokes. For instance, giving access to a particular application to all employees. Use ABAC if you need more granularity than this or need to make a decision under some circumstances. For example, if employees are in the X department and are doing Y, they access that application.
2: RBAC Prior to ABAC
General practice is that you should try to use RBAC before ABAC, as the controls are merely searches or filters at their core. The larger and more complex the quest, the more power and time it takes to process. And, because of the increase in search space, the more users and applications a company has, the greater the processing effect of the searches/filters would have.
3: Less is Better
You are probably doing something wrong if you are producing a lot of very complex RBAC and/or ABAC filters. A little planning will help you organize your directory data in a way that mitigates the need for complex filters/queries to be created. However, every now and then, to determine the right degree of access control, you will certainly have to get creative, but this should be the exception and not the rule.
4: Divide and Conquer
In a hybrid strategy, you can employ RBAC and ABAC together. Use RBAC, for example, to monitor who can see what modules and then to control access to what they see (or can do) within a module, use ABAC.
Access control is a collection of policies that ensures that the right systems, services, and applications are accessed by users correctly. Therefore, a good IAM solution, whether you use RBAC, ABAC, or both, should help you identify what users can do with apps by having various mechanisms to ensure the right people, at the right time, get the right access to the right things.