Types of access control
You can use two broadly defined models to implement access control: role-based access control (RBAC) and attribute-based access control (ABAC). Each model has advantages and disadvantages, which are briefly discussed in this section. The model you should use depends on your specific use case. The architecture discussed in this guide supports both models.
RBAC
Role-based access control (RBAC) determines access to resources based on a role that usually aligns with business logic. Permissions are associated with the role as appropriate. For instance, a marketing role would authorize a user to perform marketing activities within a restricted system. This is a relatively simple access control model to implement because it aligns well to easily recognizable business logic.
The RBAC model is less effective when:
-
You have unique users whose responsibilities encompass several roles.
-
You have complex business logic that makes roles difficult to define.
-
Scaling up to a large size requires constant administration and mapping of permissions to new and existing roles.
-
Authorizations are based on dynamic parameters.
ABAC
Attribute-based access control (ABAC) determines access to resources based on attributes. Attributes can be associated with a user, resource, environment, or even application state. Your policies or rules reference attributes and can use basic Boolean logic to determine whether a user is permitted to perform an action. Here's a basic example of permissions:
In the payments system, all users in the Finance department are allowed to
process payments at the API endpoint /payments
during business
hours.
Membership in the Finance department is a user attribute that determines access to
/payments
. There is also a resource attribute associated with the /payments
API endpoint
that permits access only during business hours. In ABAC, whether or not a user can
process a payment is determined by a policy that includes the Finance department
membership as a user attribute, and the time as a resource attribute of
/payments
.
The ABAC model is very flexible in allowing dynamic, contextual, and granular authorization decisions. However, the ABAC model is difficult to implement initially. Defining rules and policies as well as enumerating attributes for all relevant access vectors require a significant upfront investment to implement.
RBAC-ABAC hybrid approach
Combining RBAC and ABAC can provide some of the advantages of both models. RBAC, being aligned so closely to business logic, is simpler to implement than ABAC. To provide an additional layer of granularity when making authorization decisions, you can combine ABAC with RBAC. This hybrid approach determines access by combining a user's role (and its assigned permissions) with additional attributes to make access decisions. Using both models enables simple administration and assignment of permissions while also permitting increased flexibility and granularity pertaining to authorization decisions.
Access control model comparison
The following table compares the three access control models discussed previously. This comparison is meant to be informative and high-level. Using an access model in a specific situation might not necessarily correlate to the comparisons made in this table.
Factor |
RBAC |
ABAC |
Hybrid |
Flexibility |
Medium |
High |
High |
Simplicity |
High |
Low |
Medium |
Granularity |
Low |
High |
Medium |
Dynamic decisions and rules |
No |
Yes |
Yes |
Context-aware |
No |
Yes |
Somewhat |
Implementation effort |
Low |
High |
Medium |