RBAC vs. ABAC: Which One to Choose?

    Identity management systems are usually made up of three main elements at the highest level: users, systems/applications, and policies. Policies describe how users communicate with various frameworks and software.

    Most Identity and Access Management (IAM) solutions offer various methods for enforcing organizational resource access control policies, using multiple terms to define these methods. However, it is essentially possible to map all types of access control back to one of the four traditional models: Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-based Access Control (RBAC), and Attribute-based Access Control (ABAC).

    What is Role-Based Access Control?

    RBAC regulates access based on the roles users have within the system and on rules that define what users are able to access in those roles. Usually, under IAM, a role is approximately equal to a group in the directory system. It is simply a logical grouping of one or more users with some common affiliations, such as the same department, grade, age, physical location, or type of user.

    About Attribute-Based Access Control

    On the basis of three different attribute types, attribute-based access control (ABAC) can control access: user attributes, attributes associated with the application or device to be accessed, and current environmental conditions.

    Not only is ABAC the most versatile and efficient of the four models for access control, but it is also the most complex. ABAC allows fine-grained access control at its heart, which allows for more feedback variables in a decision on access control. Any accessible attribute in the directory can be used to define the correct filter for controlling access to a resource by itself or in combination with another one.

    RBAC vs. ABAC: Which One to Choose?

    Now that the key distinctions between role-based and attribute-based access are better understood, we can discuss best practices about what to use and when. Although RBAC and ABAC can be very complex topics, here are four basic principles that you can relate to not only when you begin implementing your IAM but as your organization and needs change on an ongoing basis:

    1: RBAC Is For Broader Access Control and ABAC Is For Finer Access Control

    Use RBAC when you can make access control decisions with big strokes. For instance, giving access to a particular application to all employees. Use ABAC if you need more granularity than this or need to make a decision under some circumstances. For example, if employees are in the X department and are doing Y, they access that application.

    2: RBAC Prior to ABAC

    General practice is that you should try to use RBAC before ABAC, as the controls are merely searches or filters at their core. The larger and more complex the quest, the more power and time it takes to process. And, because of the increase in search space, the more users and applications a company has, the greater the processing effect of the searches/filters would have.

    3: Less is Better

    You are probably doing something wrong if you are producing a lot of very complex RBAC and/or ABAC filters. A little planning will help you organize your directory data in a way that mitigates the need for complex filters/queries to be created. However, every now and then, to determine the right degree of access control, you will certainly have to get creative, but this should be the exception and not the rule.

    4: Divide and Conquer

    In a hybrid strategy, you can employ RBAC and ABAC together. Use RBAC, for example, to monitor who can see what modules and then to control access to what they see (or can do) within a module, use ABAC.


    Access control is a collection of policies that ensures that the right systems, services, and applications are accessed by users correctly. Therefore, a good IAM solution, whether you use RBAC, ABAC, or both, should help you identify what users can do with apps by having various mechanisms to ensure the right people, at the right time, get the right access to the right things.

    Recent Articles

    Identity and Access Management: Some Challenges

    In today's digital age, there are more apps that are cloud-based, more resources, more devices, and more users. 94 percent of Chief...

    Insider Threats: Some Ways Of Detection and Prevention

    The leading cause of data breaches worldwide is insider attacks, and it is also among the most expensive. As per a recent...

    Strategies To Deal With Identity Management Oversights

    In today's digital age, the foundations of companies' cybersecurity are focused on 'identity.' In fact, the new digital perimeter is identity. Businesses...

    Tips To Prevent Business Risks in SAP Transactions With Access Control

    Since SAP's controls that are harnessed by fraudsters have certain crucial vulnerabilities, SAP transactions could be a fertile ground for data theft...

    Tips To Enable Easy Access To ERP Applications

    In this digital era, enabling mobile access to ERP data is one of the main priorities for many enterprises. And it has...

    Related Stories

    Leave A Reply

    Please enter your comment!
    Please enter your name here

    Stay on op - Ge the daily news in your inbox