Since the mid-1990s, role-based access control (RBAC) has been the de facto standard for managing access to business-critical data, especially that which was stored in massive enterprise resource planning (ERP) applications. Sensitive HR, financial, and planning data, like social security numbers, payroll numbers, and inventory forecasts are managed within these ERP applications.
Attribute-based access control (ABAC) has emerged as the successor to RBAC, as the former is better equipped to deal with the complexities of today’s IT landscape. In a recent article, Deloitte suggested businesses move towards defining permissions more granularly and dynamically with the help of ABAC, rather than relying on RBAC’s static pre-defined roles assigned to users. Backing ABAC is dynamic authorization, where authorization and access rights to your organization’s network, applications, data, or other sensitive assets are granted dynamically in real-time based on attributes.
These attributes could be derived from users, data, and environment metadata. For example, policies can incorporate attributes such as citizenship, department, geographic location, device type, file type, and the action being performed (e.g. uploads, downloads, edits, etc). This provides flexibility in controlling access to sensitive data, especially given the distributed nature of today’s business.