Role-Based Access Control VS Attribute-Based Access Control

Comparing different access control methods

Identity and access management products utilise access control methods to implement policies. We discuss two established models.

Identity management systems are usually comprised of three main elements: users, systems / applications and policies. How different applications and systems interact with different users are defined and enabled by the policies. Most identity and access management (IAM) products implement the policies to control access to organisational resources through a range of methods. Role-based Access Control (RBAC) and Attribute-based Access Control (ABAC) are two of the four widely known and most used models for access control. We will talk about what RBAC and ABAC do and when to use which model.


Role-based Access Control

How RBAC controls access is determined by the roles that users have within the system, and the rules that define what access is granted for those roles. Most modern IAM products define a role as a local grouping of one or more users that have some common affiliations within the same directory system. These affiliations include being in the same department or geographical location, age, gender, et cetera.


Attribute-based Access Control

How ABAC controls access is based on three different attribute types: attributes of user accounts, attributes that are associated with the system to be accessed, and current environmental conditions. As a result, ABAC is known as the most complex model as compared to the other access control methods.


RBAC versus ABAC

The major difference between RBAC and ABAC is the specificity of access control provided. RBAC provides coarse-grain access control, allowing decision makers to implement broad changes. One such example is granting all users of a certain user role access to a specified application or resource. Should you require more granularity, this is where ABAC steps in.  ABAC allows you to make decisions that come with specific or complex conditions. For instance, teachers who teach a certain grade in a certain school can be granted access to a specific application or system.


As a general rule of thumb, it is advised to utilise RBAC before proceeding to use ABAC. This is due to the amount of processing power and time that is consumed in more complex and larger filters of access control. In systems with many users and applications, the processing impact will be amplified.



In addition, RBAC and ABAC can be used in tandem via a hierarchal approach, where RBAC does the coarse-grain filtering while ABAC comes in to provide a finer inspection. RBAC and ABAC are dynamic access control tools that will automatically update the roles and access rights according to whatever configurations have been established within the IAM system.




When implementing a modern IAM product, it comes down to this: bear in mind that access control is a set of policies that governs how users are granted the correct access to the appropriate software, resources, and applications. Regardless of the access control model being RBAC or ABAC, a good IAM solution should assist you in determining what users can do with applications by providing multiple tools that ensure proper resources are accessed by the right users at the right time.