The main difference between RBAC and ABAC is that the RBAC (Role Based Access Control) provides access rights depending on the user roles while the ABAC (Attribute Based Access Control) provides access rights considering user, resource, and environment attributes.
In order to secure the data, systems use various mechanisms. Firstly, the users should be authenticated. It is the process of determining a specific user to allow him to access the system. After authentication, the users go through authorization, the process of granting or limiting permissions to access the resources. Access Control allows achieving authorization. RBAC and ABAC are two types of access control methods. In RBAC, the users do not have direct access to the resources. Instead, they get access depending on their roles. On the other hand, ABAC considers user, resource, and environment attributes to provide access rights.
Key Areas Covered
1. What is RBAC
– Definition, Functionality
2. What is ABAC
– Definition, Functionality
3. Difference Between RBAC and ABAC
– Comparison of Key Differences
Key Terms
ABAC, RBAC, Security
What is RBAC
RBAC stands for Role Based Access Control. In this method, access to a resource is determined by the role of the user. In other words, the access right to the resources depends on the role of the user. Administrators of the organization assign roles to the users. That is, a set of users may have access to read files, while another set of users may have access to write files.
For example, a project manager will have access to all files of a project. The development team will have access to programming files. The quality assurance team will have access to the testing files. The human resource manager will have access to the employee details, salary files, etc. Likewise, the right to access a file is based on the role of the user. Moreover, it is also possible for a single user to have multiple roles. The main advantage of RBAC is that this policy does not need to change when a certain person with the role leaves the organization. It is also easier to activate a role on a new employee.
What is ABAC
ABAC stands for Attribute Based Access Control. In this method, the access to a resource is determined by a collection of several attributes. It considers user attributes (subject attributes), resource attributes (object attributes) and environmental attributes. Attributes are the characteristics of users, resources, and environment.
Examples of user attributes are ID, name, organization, role, security clearance, nationality, etc. Resource attributes include name, owner, data creation date, etc. Some examples of environment attributes are location of access, time of access and threat levels. By using ABAC, the organizations can simplify access management and reduce risks due to unauthorized access. Furthermore, it helps to centralize auditing.
Difference Between RBAC and ABAC
Definition
RBAC is an access control approach that provides access rights depending on the user roles. ABAC is an access control method that grants access rights to the user by using a combination of attributes together.
Full Name
The RBAC stands for Role Based Access Control and the ABAC stands for Attributes Based Access Control.
Granting Access
Furthermore, the RBAC considers the role to access rights while the ABAC considers user, resource, and environment attributes to grant access rights.
Conclusion
RABC and ABAC are two types of access control methods. The main difference between RBAC and ABAC is that the RBAC provides access rights depending on the user roles while the ABAC provides access rights considering user, resource, and environment attributes.
Reference:
1. Role Based Access Control, Udacity, 6 June 2016, Available here.
2. 4 9 Understanding Attribute Based Access Control, Dark Coding, 3 Mar. 2018, Available here.
Image Courtesy:
1. “3400657” (CC0) via Pixabay
Leave a Reply