RBAC vs ABAC

Most modern systems have some form of authentication and authorization. Authentication refers to figuring out who someone is (think of user login). Authorization refers to figuring out what a user can do within a system. Just because a user can log in does not mean they can do anything inside a system.

In many systems, authorization is pretty basic. Some users can do most things, and a set of users can do everything; think basic user and administrative user.

But that sort of system is a form of Role-Based Access Control, or RBAC. With role you are in defines what access you have.

As systems grow, RBAC can become more granular (and often does). We will end up with data readers, data creators, system administrators, and many more. And by putting a user into a role, resource access will be controlled.

Another approach would be to use Attribute-Based Access Control, or ABAC. With this system, users are assigned attributes that determine what a user can do in the system. Typically with an attribute system, you would end up with many attributes. And the user could be assigned any number of these attributes.

RBAC is probably the mental model many of us already have. We assign a user to some role. This is perhaps a model that is easier to build and live with. ABAC is more complicated, but with that complication does come more control, particularly more granular control.

The more you know…