Skip to main content

Request SaaS Deployment

Contact Sales

Access Management

Role-based Access Control vs Attribute-based Access Control: Which to Choose


Access management is a fundamental element of your organization’s security infrastructure. With numerous approaches to implementing an access management system, selecting the most suitable one for your organization may be daunting.

In this article, we analyze the two most popular access control models: role-based and attribute-based. We delve into what RBAC and ABAC are, review the pros and cons of each model, compare them, and check if it’s possible to combine them.

What is role-based access control (RBAC)?

Role-based access control (RBAC) is an access control method based on defining employees’ roles and corresponding privileges within the organization. The idea of this model is that every employee is assigned a role. In turn, every role has a collection of access permissions and restrictions. An employee can access objects and execute operations only if their role in the system has relevant permissions.

For example, a company’s accountant should be allowed to work with financial information but shouldn’t have access to clients’ contact information or credit card data.

When a new employee comes to your company, it’s easy to assign a role to them. And when someone leaves the company, you don’t need to change the role parameters or a central policy, as you can simply revoke the user’s role.

Defining a role can be quite challenging, however. You have to consider all the permissions a user needs to perform their duties and the position of this role in your hierarchy. Assigning too many permissions to a single role can break the principle of least privilege and may lead to privilege creep and misuse.

Once all the necessary roles are set up, role-based access control doesn’t require constant maintenance from the IT department. Implementing RBAC can help you meet IT security requirements without much pain.

However, creating a complex role system for a large enterprise may be challenging. An organization with thousands of employees can end up with a few thousand roles. This is known as role explosion, and it’s unavoidable for a big company.

Request access to Ekran System’s online demo!

See how Ekran System can help you secure access management.

How does RBAC work?

Let’s consider the main components of the role-based approach to access control:

  • User – an individual with a unique identifier (UID) that has access to a system
  • Role – a named job function (indicates the level of authority)
  • Permission – equivalent to access rights
  • Session – a period of working time during which a user utilizes permissions of the roles assigned to them
  • Object – a system resource that requires permission to access
  • Operation – any action in the protected network

The basic rules of RBAC are:

  • All user activities are carried out through operations.
  • A user can execute an operation only if the user has been assigned a role that allows them to do so.
  • Identification and authentication are not considered operations.
RBAC model

Types of RBAC Models

RBAC can be implemented on four levels according to the NIST RBAC model. Each subsequent level includes the properties of the previous. Let’s take a look at them:

1. Flat RBAC is an implementation of the basic functionality of the RBAC model. All users and permissions are assigned to roles. Users obtain the permissions they need by acquiring these roles. There may be as many roles and permissions as the company needs. A single user can be assigned to multiple roles, and one role can be assigned to multiple users.

Flat RBAC model

2. Hierarchical RBAC, as the name suggests, implements a hierarchy within the role structure. This hierarchy establishes the relationships between roles. Users with senior roles also acquire the permissions of all junior roles that are assigned to their subordinates. The complexity of the hierarchy is defined by the company’s needs.

Hierarchical RBAC model

3. Constrained RBAC adds separation of duties (SOD) to a security system. SOD is a well-known security practice where a single duty is spread among several employees. It’s quite important for medium-sized businesses and large enterprises. Separation of duties guarantees that no employee can introduce fraudulent changes to your system that no one else can audit and/or fix.

Constrained RBAC

4. Symmetric RBAC supports permission-role review as well as user-role review. It allows security administrators to identify permissions assigned to existing roles (and vice versa). For example, by identifying roles of a terminated employee during the user access review procedure, an administrator can revoke the employee’s permissions and then reassign the roles to another user with the same or a different set of permissions.

Symmetric RBAC

Role-based access control is most commonly implemented in small and medium-sized companies. Such organizations typically have simple workflows, a limited number of roles, and a pretty simple hierarchy, making it possible to determine and describe user roles effectively.

Privileged Access Management with Ekran System

What is attribute-based access control (ABAC)?

Attribute-based access control (ABAC) evolved from RBAC and suggests establishing a set of attributes for any element of your system. A central policy defines which combinations of user and object attributes are required to perform any action.

Once you’ve created policies for the most common job positions and resources in your company, you can simply copy them for every new user and resource.

This is similar to how a role works in the RBAC model. But in the ABAC model, attributes can be modified for the needs of a particular user without creating a new role. Attributes make ABAC a more granular access control model than RBAC.

Let’s consider the main components of the ABAC model according to NIST:

  • Attribute – a characteristic of any element in the network. An attribute can define:
    • User characteristics – employee position, department, IP address, clearance level, etc.
    • Object characteristics – type, creator, sensitivity, required clearance level, etc.
    • Type of action – read, write, edit, copy, paste, etc.
    • Environment characteristics – time, day of the week, location, etc.
  • Subject – any user or resource that can perform actions in the network; a subject is assigned attributes in order to define its clearance level
  • Object – any data stored in the network; objects are assigned attributes in order to describe and identify them
  • Operation – any action taken by any subject in the network
  • Policy – a set of rules allowing or restricting any action in your information retrieval system; rules are IF/THEN statements based on attributes of any element (user, resource, environment)
Attribute-based access control implementation

This approach is suitable for companies of any size but is mainly used in large organizations. ABAC requires more effort to configure and deploy than RBAC, as security administrators need to define all attributes for all elements in your system. Moreover, they need to initially assign attributes to each system component manually.

Explore the power of Ekran System!

Test how Ekran System can help you provide secure access.

Comparing RBAC and ABAC

Let’s dive into attribute-based access control and role-based access control advantages and disadvantages. 

RBAC pros and cons

Before delving into pros and cons of role-based access control, we’d like to highlight that RBAC is the most common approach to managing access. One of the main benefits of role-based access control is that companies no longer need to authorize or revoke access on an individual basis, bringing users together based on their roles instead. Establishing a set of roles in a small or medium-sized company is neither challenging nor costly.

On the other hand, setting up such a system at a large enterprise is time-consuming. RBAC may cause role explosions and cause unplanned expenses required to support the access control system, since the more roles an organization has, the more resources it needs to implement this access model.

There are several other disadvantages of role-based access control. You can’t set up a rule using parameters that are unknown to the system before a user starts working. Permissions can be assigned only to user roles, not to objects and operations. Also, using RBAC, you can restrict a certain action in your system but not access to certain data.

ABAC pros and cons

The key benefit of ABAC is that it allows you to grant access based not on the user role but on the attributes of each system component. This way, you can describe a business rule of any complexity. Even if you need to make certain data only accessible during work hours, it can be easily done with one simple policy.

On top of that, ABAC rules can evaluate attributes of subjects and resources that are yet to be inventoried by the authorization system. It’s much easier to add and revoke permissions of particular users by modifying attributes than by changing or defining new roles.

As for ABAC limitations, this type of access control model is time-consuming to configure and may require expensive tools due to the way policies must be specified and maintained. This may significantly increase your cybersecurity expenses.


To sum up, let’s compare the key characteristics of attribute-based access control vs role-based access control.



(For small and medium-sized organizations)

SimplicityEasy to establish roles and permissions for a small company


Hard to maintain the system for a big company

Hard to establish all the policies at the start


Easy to maintain and support

Support for simple ruleschecked-iconchecked-icon
Support for complex ruleschecked-iconchecked-icon
Support for rules with dynamic parametersminus-iconchecked-icon
Customizing user permissionsminus-icon


(Customizing a specific user requires creating a new role)


There are many differences between the ABAC and RBAC models. Both have benefits and drawbacks, but ultimately the choice between the models depends on your specific organizational needs. 

Let’s explore the key considerations that define whether RBAC or ABAC is the most suitable option for your organization.

When to use RBAC or ABAC?

RBAC is simpler to implement and manage, which makes it the ideal choice for smaller companies with straightforward access control requirements. If you aren’t planning to onboard new people and have already established responsibilities within your teams, applying an RBAC model is the optimal decision.

ABAC offers a higher degree of flexibility and granularity, which may be key for large and growing organizations. As your organization evolves, ABAC can accommodate new users, resources, and access requirements without restructuring or reconfiguring your existing systems. 

Although implementing ABAC requires more initial effort to establish policies compared to RBAC, the ABAC model is easier to maintain over time.


Ultimately, the choice between RBAC and ABAC should depend on your specific needs and future growth perspectives. 

Three ways to use RBAC and ABAC together

Companies commonly start with implementing a flat RBAC model, as it’s easier to set up and maintain. As organizations grow and handle more sensitive data, they often realize they need a more flexible access control system. However, abandoning the old access control system and building a new one from scratch is time-consuming and expensive. That’s why a lot of companies just add the required features to the existing system. In such cases, RBAC and ABAC can be used together.

This access model is also known as role-based access control with attributes (RBAC-A). It is an extension of the traditional RBAC model, which adds additional attributes or characteristics to roles to further refine access control decisions. Using an RBAC-A model, you can define roles based not only on job responsibilities but also on attributes such as location, time of day, user attributes (department, job title, etc.), or resource attributes (sensitivity level, classification, etc.). 

There are three RBAC-A approaches that handle relationships between roles and attributes:

Approaches to RBAC-A

  • Attribute-centric. A role becomes the name of one of the user attributes, resembling a job title. The “role” attribute in such a model is used to mark a set of attributes required for a certain position.
  • Role-centric. Attributes are added to constrain roles. In such a model, attributes are added to reduce rather than expand user permissions.
  • Dynamic roles. Attributes such as time of day are used to determine the subject’s role. In some cases, a user’s role can be fully determined by dynamic attributes.

In addition, there’s a method called next generation access control (NGAC) developed by NIST. NGAC addresses the limitations of existing access control models and provides more granular, dynamic, and context-aware access control capabilities. It’s implementation is similar to attribute-based access control but has a more refined approach to policies. For example, NGAC supports several types of policies simultaneously, including ones that are applied both in the local environment and in the network. 

Manage user access with Ekran System

Ekran System is an insider risk management platform that helps you efficiently audit and control user access with these features:

  • Privileged access management (PAM) in Ekran System enables you to granularly review and manage access permissions for privileged and regular users in your network. Ekran System’s PAM functionality can help your organization optimize privileged user management and configure a comfortable access request and approval workflow.
  • Password management in Ekran System allows you to securely create and deliver passwords and secrets to users, provide one-time access, and automate password rotation for Windows and Active Directory accounts. All passwords and secrets are stored in an encrypted, well-secured vault.

Ekran System has a set of other useful features to help you enhance your organization’s cybersecurity:

  • Ekran System’s user activity monitoring (UAM) functionality allows you to monitor and record user actions in a screen-capture format alongside useful metadata, such as names of active applications, visited websites, and executed commands. You can export recorded fragments or whole user sessions for incident investigation.
  • Two-factor authentication (2FA) in Ekran System can help you verify user identities to protect your sensitive systems and data from unauthorized access.
  • Real-time incident response  functionality of Ekran System allows you to receive real-time notifications about suspicious activity and swiftly block it. You can also configure Ekran System to automatically respond to threats in real time.

Identity and Access Management with Ekran System


Access management is an essential component of any reliable security system. Both the RBAC and ABAC models have their advantages and disadvantages. Whether you prefer one over the other or decide to combine them, it’s also important to consider how to securely authenticate users and manage their access privileges.

Ekran System’s identity management and access management functionalities can be used across a wide range of platforms and in virtually any network architecture. Thanks to our flexible licensing scheme, Ekran System is suitable for businesses of any size, from startups to large enterprises.

Ready to try Ekran System? Access the Demo now!

Clients from 70+ countries already use Ekran System.



See how Ekran System can enhance your data protection from insider risks.