Administrators have a great deal of nuanced control in a system like this. You could set permissions based on a variety of attributes, all working together to keep documents safe. In theory, you could even give the same person different permissions based on where the person logs in or what the person tries to do on a different day of the week.
In ABAC, elements work together in a coordinated fashion.
- Subjects: Who is trying to do the work?
- Objects: What file within the network is the user trying to work with?
- Operation. What is the person trying to do with said file?
Relationships are defined by if/then statements. For example:
- If the user is in accounting, then the person may access accounting files.
- If the person is a manager, then that person may read/write files.
- If the company policy specifies “no Saturday work” and today is Saturday, then no one may access any files today.
RBAC vs. ABAC: Pros & Cons
RBAC and ABAC both concern control and access. Both approaches protect your systems, but they each come with definite benefits and drawbacks.
ABAC Pro
|
ABAC Cons
|
Well-defined control
Administrators can define, enhance, and manage many variables, ensuring a high level of control. You can develop very specific and granular rules that protect your assets.
|
Time constraints
Defining variables and configuring your rules is a massive effort, especially at project kickoff.
|
|
Expertise
As researchers point out, appropriate ABAC rules lead to accurate implementation. If you set up the system wrong at the outset, the fix could be time-consuming.
|
RBAC Pro
|
RBAC Con
|
Simplicity
Rules within the RBAC system are simple and easy to execute. The work happens quickly, and it needs less processing power.
|
Role explosions
To add granularity to their systems, some administrators add more roles. That can lead to what researchers call "role explosions" with hundreds or even thousands of rules to manage.
|
5 Identity Management Scenarios to Study
These examples can help you understand when RBAC systems are best and when ABAC systems might work better. We've also included an example of using both together, as sometimes that works well too.
Companies should consider the question of RBAC vs. ABAC when dealing with:
1. Small workgroups. RBAC is best. Defining work by role is simple when the company is small and the files are few.
If you work within a construction company with just 15 employees, an RBAC system should be efficient and easy to set up.
2. Geographically diverse workgroups. ABAC is a good choice. You can define access by employee type, location, and business hours. You could only allow access during business hours for the specific time zone of a branch.
3. Time-defined workgroups. ABAC is preferred. Some sensitive documents or systems shouldn't be accessible outside of office hours. An ABAC system allows for time-based rules.
4. Simply structured workgroups. RBAC is best. Your company is large, but access is defined by the jobs people do.
For example, a doctor's office would allow read/write scheduling access to receptionists, but those employees don't need to see medical test results or billing information. An RBAC system works well here.
5. Creative enterprises. ABAC is ideal because creative companies often use their files in unique ways. Sometimes, everyone needs to see certain documents; other times, only a few people do. Access needs change by the document, not by the roles.
For example, the creative staff within your company, including artists and writers, create files that are easily distributed by other employees. But those employees, including billing departments and account executives, might need to see those files. And the marketing team might want to share them.
The complexity of who should see these documents, and how they are handled, is best accomplished with ABAC.
Many times neither RBAC or ABAC will be the perfect solution to cover all the use cases you need. That’s why most organisations use a hybrid system, where high-level access is accomplished through RBAC and then fine-grained controls within that structure are accomplished through ABAC.
For example, you might use the RBAC system to hide sensitive servers from new employees. Then, you might use ABAC systems to control how people alter those documents once they do have access.
Researchers say blending RBAC and ABAC can help administrators get the best of both systems. RBAC offers leak-tight protection of sensitive files, while ABAC allows for dynamic behaviour. Blending them combines the strengths of both.
Make a Smart Decision
Not sure which identity management model is the best for your organisation? That’s okay.
Okta uses granular permissions and user access factors to let you create a secure path to access and authorisation. Discover what Okta can do for your organisation.
References
The NIST Model for Role-Based Access Control: Towards a Unified Standard. (July 2007). National Institute of Standards and Technology.
Policy Engineering in RBAC and ABAC. (November 2018). From Database to Cyber Security.
Adding Attributes to Role-Based Access Control. (June 2010). IEEE Computer.
Role-Based ABAC Model for Implementing Least Privileges. (February 2019). ICSCA '19: Proceedings of the 2019 8th International Conference on Software and Computer Applications.