Access control is a fundamental element of your organization’s security infrastructure. Every security officer wants to apply the principle of least privilege, implement a zero trust architecture, segregate user duties, and adopt other access control best practices without harming the company’s workflow.
There are several approaches to implementing an access management system in your organization. In this article, we analyze the two most popular access control models: role-based and attribute-based. We review the pros and cons of each model, compare them, and see if it’s possible to combine them.
What is role-based access control (RBAC)?
Role-based access control (RBAC) is an access control method based on defining employees’ roles and corresponding privileges within the organization. The idea of this model is that every employee is assigned a role. In turn, every role has a collection of access permissions and restrictions. An employee can access objects and execute operations only if their role in the system has relevant permissions.
For example, a company’s accountant should be allowed to work with financial information but shouldn’t have access to clients’ contact information or credit card data.
When a new employee comes to your company, it’s easy to assign a role to them. And when someone leaves the company, you don’t need to change the role parameters or a central policy, as you can simply revoke the user’s role.
Defining a role can be quite challenging, however. You have to consider all the permissions a user needs to perform their duties and the position of this role in your hierarchy. Assigning too many permissions to a single role can break the principle of least privilege and may lead to privilege creep and misuse.
Once all the necessary roles are set up, role-based access control doesn’t require constant maintenance from the IT department. Implementing RBAC can help you meet IT security requirements without much pain.
However, creating a complex role system for a large enterprise may be challenging. An organization with thousands of employees can end up with a few thousand roles. This is known as role explosion, and it’s unavoidable for a big company.
How does RBAC work?
Let’s consider the main components of the role-based approach to access control:
- User – an individual with a unique identifier (UID) that has access to a system
- Role – a named job function (indicates the level of authority)
- Permission – equivalent to access rights
- Session – a period of working time during which a user utilizes permissions of the roles assigned to them
- Object – a system resource that requires permission to access
- Operation – any action in the protected network
The basic rules of RBAC are:
- All user activities are carried out through operations.
- A user can execute an operation only if the user has been assigned a role that allows them to do so.
- Identification and authentication are not considered operations.
RBAC can be implemented on four levels according to the NIST RBAC model. Each subsequent level includes the properties of the previous. Let’s take a look at them:
1. Flat RBAC is an implementation of the basic functionality of the RBAC model. All users and permissions are assigned to roles. Users obtain the permissions they need by acquiring these roles. There may be as many roles and permissions as the company needs. A single user can be assigned to multiple roles, and one role can be assigned to multiple users.
2. Hierarchical RBAC, as the name suggests, implements a hierarchy within the role structure. This hierarchy establishes the relationships between roles. Users with senior roles also acquire the permissions of all junior roles that are assigned to their subordinates. The complexity of the hierarchy is defined by the company’s needs.
3. Constrained RBAC adds separation of duties (SOD) to a security system. SOD is a well-known security practice where a single duty is spread among several employees. It’s quite important for medium-sized businesses and large enterprises. Separation of duties guarantees that no employee can introduce fraudulent changes to your system that no one else can audit and/or fix.
4. Symmetric RBAC supports permission-role review as well as user-role review. It allows security administrators to identify permissions assigned to existing roles (and vice versa). For example, by identifying roles of a terminated employee during the user access review procedure, an administrator can revoke the employee’s permissions and then reassign the roles to another user with the same or a different set of permissions.
Role-based access control is most commonly implemented in small and medium-sized companies. Such organizations typically have simple workflows, a limited number of roles, and a pretty simple hierarchy, making it possible to determine and describe user roles effectively.
What is attribute-based access control (ABAC)?
Attribute-based access control (ABAC) evolved from RBAC and suggests establishing a set of attributes for any element of your system. A central policy defines which combinations of user and object attributes are required to perform any action.
Once you’ve created policies for the most common job positions and resources in your company, you can simply copy them for every new user and resource.
This is similar to how a role works in the RBAC model. But in the ABAC model, attributes can be modified for the needs of a particular user without creating a new role. Attributes make ABAC a more granular access control model than RBAC.
Let’s consider the main components of the ABAC model according to NIST:
- Attribute – a characteristic of any element in the network. An attribute can define:
- User characteristics – employee position, department, IP address, clearance level, etc.
- Object characteristics – type, creator, sensitivity, required clearance level, etc.
- Type of action – read, write, edit, copy, paste, etc.
- Environment characteristics – time, day of the week, location, etc.
- Subject – any user or resource that can perform actions in the network; a subject is assigned attributes in order to define its clearance level
- Object – any data stored in the network; objects are assigned attributes in order to describe and identify them
- Operation – any action taken by any subject in the network
- Policy – a set of rules allowing or restricting any action in your information retrieval system; rules are IF/THEN statements based on attributes of any element (user, resource, environment)
This approach is suitable for companies of any size but is mainly used in large organizations. ABAC requires more effort to configure and deploy than RBAC, as security administrators need to define all attributes for all elements in your system. Moreover, they need to initially assign attributes to each system component manually.
Comparing RBAC and ABAC
Let’s see into advantages and disadvantages of these two models and then compare ABAC vs RBAC.
RBAC pros and cons
RBAC is the most common approach to managing access. The main advantage of RBAC is that companies no longer need to authorize or revoke access on an individual basis, bringing users together based on their roles instead. Establishing a set of roles in a small or medium-sized company is neither challenging nor costly.
On the other hand, setting up such a system at a large enterprise is time-consuming. RBAC may cause role explosions and cause unplanned expenses required to support the access control system, since the more roles an organization has, the more resources they need to implement this access model.
There are also several disadvantages of the RBAC model. You can’t set up a rule using parameters that are unknown to the system before a user starts working. Permissions can be assigned only to user roles, not to objects and operations. Also, using RBAC, you can restrict a certain action in your system but not access to certain data.
ABAC pros and cons
The key benefit of ABAC is that it allows you to grant access based not on the user role but on the attributes of each system component. This way, you can describe a business rule of any complexity. Even if you need to make certain data only accessible during work hours, it can be easily done with one simple policy.
On top of that, ABAC rules can evaluate attributes of subjects and resources that are yet to be inventoried by the authorization system. It’s much easier to add and revoke permissions of particular users by modifying attributes than by changing or defining new roles.
As for ABAC limitations, this type of access control model is time-consuming to configure and may require expensive tools due to the way policies must be specified and maintained. This may significantly increase your cybersecurity expenses.
RBAC vs ABAC
To sum up, let’s compare the key characteristics of RBAC vs ABAC:
(For small and medium-sized organizations)
|Easy to establish roles and permissions for a small company
Hard to maintain the system for a big company
|Hard to establish all the policies at the start
Easy to maintain and support
|Support for simple rules
|Support for complex rules
|Support for rules with dynamic parameters
|Customizing user permissions
(Customizing a specific user requires creating a new role)
Below, we provide a handy cheat sheet on how to choose the right access control model for your organization.
Combining RBAC and ABAC
Companies often start with implementing a flat RBAC model, as it’s easier to set up and maintain. As organizations grow and manage more sensitive data, they realize the need for a more flexible access control system. But abandoning the old access control system and building a new one from scratch is time-consuming and expensive. That’s why a lot of companies just add the required features to the existing system. In such cases, RBAC and ABAC can be used together, with RBAC doing the rough work and ABAC complementing it with finer filtering.
This access model is also known as RBAC-A. There are three RBAC-A approaches that handle relationships between roles and attributes:
- Attribute-centric. A role becomes the name of one of the user attributes, resembling a job title. The “role” attribute in such a model is used to mark a set of attributes required for a certain position.
- Role-centric. Attributes are added to constrain roles. In such a model, attributes are added to reduce rather than expand user permissions.
- Dynamic roles. Attributes such as time of day are used to determine the subject’s role. In some cases, a user’s role can be fully determined by dynamic attributes.
In addition, there’s a method called next generation access control (NGAC) developed by NIST. It’s implementation is similar to attribute-based access control but has a more refined approach to policies. For example, NGAC supports several types of policies simultaneously, including ones that are applied both in the local environment and in the network.
Manage user access with Ekran System
Ekran System is an insider risk management platform that helps you efficiently audit and control user access with these features:
- Privileged access management (PAM) in Ekran System enables you to granularly review and manage access permissions for privileged and regular users in your network. Ekran System’s PAM functionality can help your organization optimize privileged user management and configure a comfortable access request and approval workflow.
- Password management [PDF] in Ekran System allows you to securely create and deliver passwords and secrets to users, provide one-time access, and automate password rotation for Windows and Active Directory accounts. All passwords and secrets are stored in an encrypted, well-secured vault.
Ekran System has a set of other useful features to help you enhance your organization’s cybersecurity:
- Ekran System’s user activity monitoring (UAM) functionality allows you to monitor and record on-screen user actions in a video format alongside useful metadata, such as names of active applications, visited websites, and executed commands, and use those records for incident investigations.
- Two-factor authentication (2FA) in Ekran System can help you verify user identities to protect your sensitive systems and data from unauthorized access.
- Real-time incident response functionality of Ekran System allows you to receive real-time email notifications about suspicious activity and automatically block it in a timely manner.
- Ekran System’s user and entity behavior analytics (UEBA) [PDF] module checks users’ activity against normal behavior to efficiently detect suspicious activity and account compromise.
Access management is an essential component of any reliable security system. Both the RBAC and ABAC models have their advantages and disadvantages, as we have described in this post. Whether you prefer one over the other or decide to combine them, you’ll need a way to securely authenticate and verify your users as well as to manage their access privileges.
You can use Ekran System’s identity management and access management functionality on a wide range of platforms and in virtually any network architecture. Thanks to our flexible licensing scheme, Ekran System is suitable for both small businesses and large enterprises.
Start a free trial now and see how Ekran System can facilitate access management in your organization!