Seldom does any organization use a pure Role Based Access Control(RBAC) or an Attribute Based Access Control(ABAC) or any pure Access Control Model, system as typically there is a mix of using the values of Attributes on an LDAP Entry or other sources to determine the roles as used within RBAC.

Generally, organizations begin with primarily a ABAC system and as the IAM system matures, move to a system utilizing RBAC and then probably to Context Based Access Control.

However, as the attributes on an entry is still the only way, as far as we can determine, to decide how to add a Digital Subject to a Role, the discussions of RBAC vs ABAC tend to be more theoretical or Strategic direction than a possible tactical implementation.

Role Based Access Control (RBAC)#

Role Based Access Control typically is based on
  • the roles that users have within the system
  • rules stating what access is allowed for users in a given role
Interestingly in many Organizations, Role Based Access Control is determined on the Attribute Values assigned to the entity

Attribute Based Access Control (ABAC)#

Generally, Attribute Based Access Control enables fine-grained Access Control, which allows for more input variables into an access control decision. Any available attribute in the directory can be used by itself or in combination with others to define the right filter for controlling resource access.

ABAC is more flexible than RBAC and can control access based on three different attribute types: Subject Attributes, Application Attributes or System Attributes to be accessed, and current Environmental Attributes.

More Information#

There might be more information for this subject on one of the following: