Role-based access control (RBAC) and Attribute-based access control (ABAC) are the two main access control strategies available to secure cloud-based resources.
Role-based access control (RBAC) is an authorization model where identities in a system are given one or more roles that allow them to perform a specific business activity. Users of the system activate or assume specific roles to access permissions. Like putting on a hat for a particular occasion, roles can be changed, but only one role is active at a time.
Attribute-based access control (ABAC) determines authorization permissions based on an identity's attributes. These attributes are independent of the task at hand, meaning they carry the same level of access regardless of activity. This approach is subtly different to RBAC because it grants privileges based on the identity’s traits, rather than their activity.
Considerations
The right choice between RBAC and ABAC needs to take into account the requirements of the business organization, and its priorities. To effectively compare these approaches, consider the following strengths and weaknesses when making a decision:
Granularity
Roles created as part of an RBAC approach, while limited to specific business tasks, must be defined in advance. This can be a limiting factor for the users of those roles if they are not crafted correctly for the desired use-cases. Since ABAC permissions are determined by the attributes of an identity, and not its role, the maximum level of granularity can be achieved with an ABAC approach. Multiple attributes, and the access they grant, can be easily combined in an ABAC setup, giving it a much higher degree of control.
Winner: ABACIf granularity is important to you, then ABAC is the most granular access control approach.
Scalability
Anyone working in a large organization will already know just how complicated the various business requirements can become. Meeting these requirements using many roles can become challenging, since the combination of requirements becomes too much to define, implement, and manage over time. Attributes come with a base level of complexity, but this doesn’t scale up as the size of an organization grows, making ABAC ideal for larger organizations.
Winner: ABACIf scalability is the limiting factor in your organization, then ABAC will allow you scale further than RBAC.
Flexibility
There is a big difference between ABAC and RBAC when it comes to how changes are applied. An attribute-based approach has the ability to add new access patterns, and change existing patterns, without requiring a change to the identities involved. Contrast this with role-based access, where existing roles must be updated to grant new permissions, which can be a challenge with many roles.
Winner: ABACIf flexibility is the priority in your systems, then ABAC will allow your identities the most varied levels of access, for less administrative overhead.
Implementation
RBAC’s up-front definition means it is easier to understand and implement as an approach. This is especially valuable for smaller organizations, who are unlikely to have a dedicated team to manage access management. ABAC’s setup requires front-loading a lot of the work, which is a challenge; but also one that can pay dividends in larger, more complex environments.
Winner: RBACIf you place value on the speed and ease of implementation, then RBAC should be your first choice.
Maintenance
Even though roles are a more limited approach compared to attributes, this enforced simplicity makes it easier maintain, assuming the approach is meeting the business requirements. An attribute-based system assumes that the attributes on identities are correct and up-to-date, and requires active maintenance to ensure the integrity of the approach.
Winner: RBACIf maintenance is a concern for you and your team, then RBAC will be a better choice, as its simplicity and clear definition will make the ongoing effort easier.
Least Privilege
Least privilege should be the goal of any access management system, and both RBAC and ABAC can achieve this. The key to least privilege is to be clear about what “least” means for the systems and identities involved, and craft access — regardless of strategy — to meet that definition.
Winner: DrawWhile ABAC is able to achieve a more fine-grained level of access management, the challenges with actually achieving it means it’s not a clear win over RBAC.
Auditing & Compliance
Choosing a role is a valuable audit event, that captures the intent of users of the system. ABAC lacks the step of choosing and activating a role, so must be audited at an identity level. The tooling required to review these activities, especially in a system with a lot of activity, as most ABAC systems will be, is an engineering challenge in itself!
Winner: RBACIf auditing and compliance are your concern, then RBAC has a slight advantage over ABAC, due to the additional role activation process. The ABAC approach has more of an “always on” approach to permissions that reduce the amount of signal available to measure.
How to Choose
In a head-to-head comparison, attribute-based access control is a more capable and scalable approach to access management, but this capability comes at a high cost. ABAC’s benefits will be felt in large, dynamic environments, with complex requirements that cross the organization, and need to be aware of the context at hand.
RBAC is a simpler approach, which makes it easier to implement, maintain, and monitor. It works best for organizations that have clearly defined roles and hierarchies, that don’t often change.
| Title | Column 1 | Column 2 |
|---|---|---|
| Characteristic | RBAC | ABAC |
| Organization Size | Small to Medium | Large |
| Implementation Effort | Low | High |
| Access Flexibility | Limited | High |
| Scalability | Medium | High |
Hybrid Approach
A hybrid approach gives the best combination of capability for the cost of implementation and maintenance. While you should compare and contrast the two approaches for your requirements, know that it is possible to mix the two for a combined approach. A mixed access management system will not necessarily be simple, but it may be the best way to meet your complex requirements.
The best approach for most organizations will be to start with RBAC, and evolve and mature into ABAC over time as they build their maturity, capability, and understanding in the right access levels for their teams and business requirements.
