The Leading Educational Resource for IT Professionals

Access Control – RBAC & ABAC


There are basically two types of access control: authentication and authorization

Authentication is the act of confirming that a user’s identity for the purpose of granting them access to a protected resource such as a computer network, computer system or sensitive document. The level of authentication must match the sensitivity of the resource being accessed. In a low authentication environment a social login such as a Google ID or Facebook ID is usually sufficient. In a high authentication environment some form of biometric is also usually required.

Authorization, on the other hand, is the act of confirming a person’s entitlement to access a resource, usually a computer program. Authorization can be simple e.g. permit or deny, or complex i.e. grant access to the General Ledger but only during business hours. 

Organizations are increasingly adopting authorization mechanisms because it gives them more fine-grained access control to protected resources, and matches the requirements of modern access control systems. Whereas authentication was quite adequate when we all logged into the corporate network in order to access a computer program, nowadays access is likely to be from a mobile device and a remote location. Authorization is therefore more appropriate because it can accommodate the increased complexity of different devices and multiple connection types.

So – authentication and authorization are like chalk and cheese, they are not simply extensions of each other, and this leads us into the discussion of RBAC and ABAC

RBAC and ABAC are two different things with very limited intersection. Role-based access control is often associated with authentication in that a person’s role will determine their access permission to protected resources. A role in this instance might be their position in the company or it might mean an AD group whose members have access to, or are authenticated, to one or more systems or applications in the company. RBAC is a tried and true mechanism that can significantly improve access control within an organisation and increase efficiencies.

ABAC on the other hand relies on the evaluation of identity and context variables against pre-determined policies. For instance, the Accounts Payable Clerk may only be able to access the accounts payable ledger when connecting from an on premise device during business hours.

For ABAC to work there are a few pre-requisites:

  • a mature identity management environment is required that collects, and make available, the necessary attributes so that appropriate access control decisions can be made.
  • Relying applications need to be able to implement access control decisions made by the decision point. This means that internal access control logic in legacy applications is replaced with enforcement point code to implement the decisions coning from the decision point.
  • A central policy administration service is required that can establish, monitor and maintain the access control rules for the relying applications.

ABAC systems typically support authorization systems where fine-grained control to protected resources is required. Benefits are: the ability to centrally manage access control policy i.e. there’s no disparity between access granted to applications across the organisation, and the real-time nature of access decisions i.e. as soon as a particular attribute value changes, access control decisions based on that attribute will change.

Access Control is the reason for managing identities. It’s important that the identity management environment within an organisation supports the access control mechanism(s) being used. A strategic plan to ensure the IAM infrastructure development aligns with its access control requirements is recommended. The strategy should also incorporate authorization – it’s the future. Access control decisions should be externalised i.e. applications with internal access control logic should no longer be acquired or developed, and protocols such as XACML should be mandated.

This series of blogs looks at the major components of identity and access management to encourage discussion and raise awareness.

Graham Williamson is the author of “Identity Management: A Business Perspective”.

Also in MC Press Articles

Customer (Citizen) Identity and Access Management


As a major trend in the IDM sector, consumerization has become easier and exponentially more important. Digital transformation will literally put a significant segment of the SME market out of business and propel a significant number of SMEs to new levels of prosperity.

Continue Reading →

Federated Authentication – there is no Plan B


Federated authentication is essential for businesses. It's the only way to effectively manage external access to business systems and it's absolutely necessary in order to manage authentication to SaaS apps. if you don't want to expose your identity records to potential compromise.

Continue Reading →

Identity Management Provisioning and Workflow – A core competence


Identity provisioning, with an approval workflow, is a core competence for CIOs yet many struggle with a confusing array of tasks that form the provisioning process within their organisations.

Continue Reading →