IAM Concept of the Week: RBAC versus ABAC

Introducing our new Concept of the Week blog series – Each week we’ll define and explain the significance of a concept in the world of Identity and Access Management.

This week let’s discuss Role-Based Access Control (RBAC) and Attribute-based Access Control (ABAC) – both are popular approaches to determine who can access an organization’s resources and what they can do with those resources. 

RBAC is the older of the two models, dating back to the early nineties, and focuses on the roles of individual users within an organization and their permissions. The advantage of this approach is that organizations no longer have to grant or revoke access on a case by case basis, instead users are grouped based on their role within an organization. For example, administrators at a hospital may have access to all patient records with the ability to both read and edit those records, while doctors may only access their patients’ records and then be limited to ‘read-only’ permission. This model works best for smaller organizations with a defined number of roles and permissions. As an organization grows however, typically the number of roles and resources increase. This leads to greater complexity, and ultimately the two dimensional approach of roles and permissions becomes too inflexible for many organizations.

ABAC offers a more flexible and multi-dimensional approach to access control by focusing on attributes and policies. Attributes are pieces of information that act as building blocks to describe relationships between users, actions and resources. When we combine attributes with rules or policies, we then have the ability to create a range of simple or complex access policies depending on the situation. For example, a simple policy would be only hospital administrators can access all patient records. A more complex policy might be that only an administrator, with a speciality in oncology, physically located in a certain hospital department, on a certain device can update a specific patient record. 

The real advantage of ABAC is that it offers a richness in its ability to describe the relationship between the person accessing the resource that scales much better than RBAC. Not surprisingly, as the world becomes more digital and complex we are seeing more and more organizations adopt ABAC. Indeed, Gartner predicts that by 2020, 70% of organization will use this model.

Further reading

Other blogs in the IAM Concept of the Week series: