How does authorization work? | RBAC vs ABAC vs PBAC vs ReBAC

Unlike authentication - which deals with confirming a person’s identity before allowing them access to digital resources - authorization is the process of assigning access to specific resources and indicating what the user can do with those resources. Different users are authorized to do different things. For instance, one person may be authorized to read a file while another is authorized to read it, edit it or even delete it. 

Why is authorization necessary?

These days businesses and institutions live and die by the quality and integrity of their digital resources. The handling of said resources is also often tightly regulated by laws and standards such as SOC2 and ISO27001.

While you need to give staff members access to these resources you cannot just provide everyone with blanket authorization to access and do as they wish with everything, all the time, from anywhere. 

You need to give each user only as much access to your resources as is necessary for them to perform their job. No more, no less. That said, let's look at the different authorization strategies in common use today.

Role-based access control (RBAC) and authorization

With RBAC, authorization takes the form of permissions assigned to various roles. When someone is hired, they are assigned one of those roles and are then able to enjoy the permissions that come with it. Likewise, if they are promoted, they are assigned a new role with what are typically more wide-ranging permissions. 

Attribute-based access control (ABAC) and authorization

With ABAC, access is granted depending on particular attributes of both the user and resource. User attributes can encompass the person’s department, managerial level, location and many other possible factors. Resource attributes may include the item’s sensitivity level, the author, its creation date, and various other relevant characteristics.

Policy-based access control (PBAC) and authorization

PBAC dynamically manages access in intricate environments through a policy engine and a policy definition language to define and enforce rules. In PBAC, policies dictate the criteria for access, and are maintained with regular software development lifecycle tools, providing a flexible, scalable method to meet diverse access control needs.

Relationship-based access control (ReBAC) and authorization

Relationship-Based Access Control and authorization works by defining access control policies in terms of the relationship between the entities involved. In the case of ReBAC, access is authorized based on whether there exists a relationship pathway between the entities that is sufficient to satisfy the access policy.

The biggest benefit of ReBAC authorization is its ability to execute complex access control policies that would be difficult or maybe even impossible to express using Role-Based or Attribute-Based Access Control.

Conclusion

So how does authorization work? It works by either assigning roles and permissions to a user, or by verifying they (or the digital resource) possess an access-worthy attribute, or by verifying relationships between the user and the resource they are trying to access.