Attribute-based Access Control (ABAC) is a fine-grained access control solution where access rights are granted to users through set policies which evaluate assigned attributes. Attributes are descriptions of users, objects, and environmental factors that are combined to create policies which apply access limitations to a network, its data and files.
A scalable approach that allows for complex rules to be applied, Attribute-Based Access Control offers real-time access and network request-response.
ABAC was created to meet the growing demands of an ever-changing environment particularly with the growth in cloud computing. Dynamic and expressive, Attribute-Based Access Control reduces risk exposure through descriptive policies ensuring access to sensitive information is only given to those who should be granted access.
The Difference Between ABAC and RBAC
Role-Based Access Control (RBAC) is the current industry standard access control model. RBAC is limited in its coarse-grained approach where access is defined only by job title and its function. Access rights are fixed per user and don’t allow for temporary access or reassignment of roles. Any changes made will affect all users who have the same role.
Attribute-Based Access Control offers a more fine-grained approach than Role-Based Access Control. Attributes can be adapted in real-time as needed, allowing for tighter access controls to restricted data.
How Should Attributes be Defined and Implemented
Identify the relevant attributes for your enterprise. Multiple attribute characteristics, describing users, objects, and the environment, work together to provide access control restraints.
Users include people who want access and includes job, security clearance level, and department names.
Objects define what the user wants to access, for example, network data, files, and documents.
Environmental factors define when and from where access is being requested, such as time of day, location and from what device. Combinations of these attributes are applied through policies, to establish the framework for an enterprise’s digital landscape, determining whether or not access will be granted to the requested resources.
Set up proper roles to match with those attributes. Role-Based Access Control and Attribute-Based Access Control are stronger together. Roles are actually more capable of effectively describing a user’s job function and should be used in addition to the user’s attributes. The combination of roles and attributes working together results in highly descriptive and contextual policies.
Common Attribute Based Access Control Issues
XACML is complex. Policies can not be written in plain language and instead must be written using eXtensible Access Control Markup Language (XACML). An old standard, XACML can be extremely complicated to understand and maintain. Coding the complex policies is time-consuming and fraught with difficulties, including limited visibility and the impact rule changes may have on other policies.
Policies can’t be defined without a developer. Even though a business owner might be in charge of setting policies, a skilled IT team is needed for implementation and maintenance. This process is inefficient, expensive, and time-consuming. Introducing policies as envisioned is reliant on good communication between the business owner and the IT team.
Policy-Based Access Control (PBAC) is able to combine both roles and attributes to create flexible, scalable and expressive policies. PlainID’s easy to use interface returns control and visibility to management, who can oversee the decision-making process to meet their Access Control business needs. No previous IT expertise is required to implement or introduce changes in real-time to policies. The Automated process reduces human error and in turn lowers risk, meeting with compliance and governance requirements.