What is Role-Based Access Control (RBAC)?

The National Institute of Standards and Technology (NIST) created Role-Based Access Control (RBAC) in 1992 and it quickly became the predominant access control method for large enterprises managing more than 500 employees.

RBAC works by allowing administrators to assign access permissions for data to roles. These roles can be assigned to individual users who can have one or several roles, each with different access rights. New roles can be created and assigned to employees when they are required.

However, because large companies now manage many more employees, RBAC has a few limitations.

  • RBAC is limited to defining access permissions by role. This means it applies a sort of “one-size fits-all” solution which can be dangerous because it often results in too much or not enough access.
  • Because users can be assigned multiple roles, it is possible that they contain conflicting data. This allows for loopholes in the permissions.
  • RBAC requires that administrators be extremely attentive to changes of users and roles and ensure that role assignment combinations are current, accurate, and consistent with other roles a user might be assigned.
  • RBAC is also unable to model policies based on contextual details such as location, relationship between users, time, etc. Essentially, RBAC has no way of deciphering the relationships between users and using that information to make policy decisions because it was originally designed to answer just one question: what can a user access based on their assigned role(s)?

Why is ABAC better?

RBAC has only some of the functionality needed to provide safe and secure access control in an evolving environment. Roles are a vital pilar of a successful access control strategy, but those roles need to be extended with attributes and policies courtesy of Attribute-Based Access Control (ABAC).

According to NIST, ABAC is defined as “an access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions.

The Key is Context

NextLabsDynamic Authorization Management was designed to help organizations extend RBAC by using ABAC for fine-grained, context aware access control that can be applied across an organization’s applications, databases, and application programming interfaces.

By adding context, ABAC allows authorization decisions to be made based not only on a user’s role, but also by considering:

  • Who or what that user is related to
  • What that user needs access to
  • Where that user needs access from
  • When that user needs access
  • How that user is accessing the requested information

With Dynamic Authorization in place, loopholes in access security are eliminated.

With NextLabs, the upgrade from RBAC to ABAC can be made. ABAC provides a viable alternative that leverages an existing investment in RBAC, prolonging its use.

For more information on Attribute-Based Access Control and Dynamic organization, visit our whitepaper The Evolution of ABAC to RBAC.and watch our series of ABAC webinars.