RBAC vs ABAC | Which is better for your application?

Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) are two common methods of ensuring system users only have access to the resources they need to do their job. Access control is the second step in providing access to digital resources and always comes after user authentication.  While RBAC and ABAC have the same goal (making sure only those who need access to specific digital resources obtain access), they go about granting access in different ways.

The differences between RBAC and ABAC

The main difference between RBAC and ABAC is the methods they use to grant access. Role-based access relies on pre-defined roles that come with certain permissions attached. Attribute-based access is determined by certain user and resource characteristics. Let’s take a closer look at both.

Role-Based Access Control or RBAC

If your system uses RBAC, what a user can do once they login is determined by the “role” assigned to them by the system administrator. Each role comes with certain permissions attached and very few people in an organization will have a unique role assigned to them. 

Instead, roles are often assigned to everyone within a certain department or to people at different managerial levels. As people climb the ladder, or are transferred to different positions, they may be assigned a new role with new access permissions attached to it.

Attribute-Based Access Control or ABAC

Attribute-Based Access Control (ABAC) is a little more complicated than RBAC. With ABAC, access is permitted based on certain attributes of both the user and resource. User attributes can include the person’s job description, their department, their managerial level, their security clearance or other criteria. Other attributes include the time of day, the day of the week, the person’s location and the platform the person is using to attempt access. 

ABAC actually provides a high-degree of versatility and subtle control over system access. For instance, the same person could be given access when logging in from their office PC but denied access if they attempt to login from home on their smartphone.

Which is better? RBAC or ABAC?

As with many things the only legitimate answer is… it depends. It depends on the type of data involved, the sensitivity of that data and a host of other considerations. As a general rule, RBAC is preferred when a well-defined user base is in play and ABAC is preferred when versatility and security are of paramount importance.