What is RBAC vs. ABAC?

Role-based access control (RBAC) and attribute-based access control (ABAC) are two approaches for determining whether to grant a user access to applications, data, and other resources. In the case of RBAC, access permissions are generally based on the user's job title, duties, or sometimes a group or department to which the user belongs. ABAC systems provide more granular and nuanced access decisions using a combination of characteristics about the user, the resource being requested, and context, such as location or time of day.

Both RBAC and ABAC are forms of access control, a critical component of identity and access management (IAM). Access control, as the name suggests, is designed to control which resources a user is authorized to access. Fine-grained controls prevent over-permissive access, which can lead to insider threats or the misuse of sensitive data, intentional or accidental.

An organization's access control policies also help it comply with data privacy regulations, such as the European General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), by ensuring that sensitive data doesn't fall into the wrong hands.

Why are there different "types" of access control?

Access control technologies have evolved for years, and many organizations use more than one type. Whether mandatory access control (MAC), discretionary access control (DAC), or RBAC and ABAC, the point is to enforce business policies intended to limit access to networks, computer systems, applications, and sensitive data, such as personally identifiable information (PII), customer data, and intellectual property.

Access control systems were simpler when employees were connected to the network using managed devices and accessing apps and data in the corporate data center. But today's environments are far more complex and dynamic than that. A company today may have legacy applications housed in on-premises servers along with multiple applications in public and private clouds. Employees connect from everywhere using a range of devices. For these reasons, access controls must be robust, with many processes automated, and they must support on-premises and cloud environments.

Access controls are further complicated by today's constantly changing environment in the workplace, with employees moving into new jobs within a company or leaving the company altogether. It's important for IT administrators to be able to change or revoke permissions quickly. As employees start new jobs, their productivity relies on gaining fast access to the appropriate resources. If, on the other hand, an individual leaves a company but retains access privileges, it can lead to significant security and compliance issues.

Role-based access control (RBAC)

Role-based access control (RBAC) grants permissions based on a user's role(s). Roles can be defined by authority level, responsibility, job title, status (employee vs. contractor), or department, as well as task-specific needs, such as viewing vs. editing rights. IT leaders and IAM administrators determine which permissions should be granted for each role, and which users are assigned those permissions. Role-based permissions are based on:

  • Access: What will be seen on the user's device?
  • Operations: Is the user allowed only to read materials, or is editing, creating, or delete files also allowed?
  • Sessions: What are the conditions for starting and stopping a session? What determines the length of the user's access?

The benefits of RBAC

RBAC simplifies the work of IT as access decisions are predetermined based on role. For example, when a new salesperson is hired, that user can quickly be granted access to the same predefined resources as other members of the sales team because they share the same role. Therefore, RBAC speeds the onboarding process for new employees. RBAC also makes it easy to facilitate temporary access. Interns or seasonal workers, for example, can be quickly provisioned with limited access to just the resources they need.

For the same reasons, an RBAC model makes it easy to quickly handle job changes and terminations. When an employee changes roles or leaves the company, that user's access to resources can either be changed to a new role or revoked upon leaving.

Attribute-based access control (ABAC)

The attribute-based access control (ABAC) model offers more flexibility and security than RBAC because it evaluates several attributes for authorization decisions. They may include:

  • A description of the user attempting the access, such as department, level of clearance, role, job title
  • A description of the action being attempted, such as view, change, delete
  • A description of the resource being accessed, for example, whether it's a database, financial records, or customer information. These "object attributes" may also take into account the user's department, the sensitivity of the data, or its location
  • The context of the access request, including the user's location, time, or other dynamic aspects

Administrators can also apply a range of policies that determine what is and isn't allowed. Such policies may state that a document may only be edited by its owner or that data may not be viewed in certain countries or locations. For example, a salesperson may have permission to use the CRM system, but may be blocked from logging in when using public Wi-Fi, or may be required to go through additional safeguards before access is granted.

The benefits of ABAC

ABAC offers the ability to control more variables than RBAC, and it can prevent the risk of an attacker gaining access via stolen credentials, a leading cause of identity breaches. Because ABAC enables administrators to set permissions based on a combination of attributes, a user may have different levels of access based on their location or time of day. Why? Perhaps a member of the finance team is authorized to access the company balance sheet, but only when inside the office. If that member tries to access it from an unsecured network, the request will be denied.

ABAC gives administrators the ability to create highly specific rules. Also, there's no need to modify existing rules to accommodate new users with an ABAC model.

How ABAC supports a Zero Trust security framework

Maintaining strict access controls is essential to the concept of Zero Trust security. Zero Trust is based on the principle of "least-privileged" access, meaning that users should have access to the minimum resources necessary to do their jobs. A Zero Trust model continually evaluates and reevaluates a user's access based on context and adapts permissions accordingly.

The ABAC model enables fine-grained controls based on multiple attributes. For example, logging into the CRM system is easy for a user who has access permission, but the system will look for any unusual or anomalous behavior. Perhaps the user has viewer access to sales forecasts but is trying to download or edit them. Maybe the user's authentication is valid but the access request is coming from an unusual network, country, or time zone. Because attributes like these are constantly changing, permissions may be granted for a limited time, after which users would be required to re-authenticate. Learn how the ForgeRock platform uses AI-powered analytics to enable Zero Trust security.

ForgeRock Identity Governance and Autonomous Identity

ForgeRock Autonomous Identity is an AI-driven identity analytics solution that shows attribute-based patterns and helps organizations discover roles. Identity Governance uses those roles to control who can access which resources and, through continuous compliance mechanisms like Certification, prevents excessive access permissions and helps organizations achieve regulatory compliance.


Autonomous Identity

Identify Security Blind Spots and Mitigate Risks with AI-Driven Identity


What is Autonomous Identity?

White Paper

Maximize the Value of Your Identity Solution with AI-Driven Identity Analytics


Accelerating Zero Trust with ForgeRock Autonomous Identity