16: Attribute-Based Access Control Explained: How ABAC Works and When to Use It Over RBAC
Audio Cast:
Takeaway Points:
ABAC stands for attribute based access control
Often seen as a successor to RBAC but is often used in conjunction with
Seen as a more agile and flexible way to handle the permissions for users - for both employee and customer identity
When it comes to authorization we need to think about subjects performing actions against objects
The abstraction between the three is complex and will take many forms
The failings of RBAC often resulted in role explosion (too many roles to manage) and also access that was too coarse grained
ABAC is often associated with fine grained access (FGA) - where permissions can be modelled against very specific items or tasks - perhaps buttons on web page, rows in a database, or columns within a row within a database.
We often see RBAC and ABAC being used in parallel - with RBAC perhaps being used to give high level access to a web page for example and ABAC being used to handle more contextual, dynamic and runtime permissions
So what attributes are being used? Attributes can typically fall into two camps - static and dynamic
An example of a static attribute (one that typically persists in a directory or database and changes less frequently) could be location, job grade or code (for B2E identities) or perhaps accepted terms and conditions, a subscription level or other preferences (in a B2C setting)
An example of a more dynamic attribute (one that is volatile and changes per session or during runtime) could be something device related, location, previous events, threat level, risk level and so on.
Other ways attributes would be leveraged could details with respect to the object being accessed and under what actions - again different combinations here can allow for fine grained responses.
For example Simon can write to a document if the document.owner is Simon’s manager; otherwise he can read the document.
The enforcement of such complex decisions, requires a baseline set of rules, as well as access to static and dynamic attribute data to make fine grained and runtime decisions
Not all access control systems will require such detail and the management of rule sets and attribute data handling can be complex


