Authorization is the process of giving someone the ability to access a digital resource. There are many ways to grant access to users in enterprise organizations. Explore the differences between these authorization methods and the ways that they work.
Role-based access control (RBAC): Also known as non-discretionary access control, this authorization strategy bases user access on assigned roles. Learn how it works and when it might be used.
Policy-based access control (PBAC): Dynamically determines access privileges during authorization based on policies and rules. Learn how this strategy works and when it might be used.
Attribute-based access control (ABAC): Attribute-based access control uses attributes to determine a user's access to resources in an application. Learn how this strategy works and when and might be used.
Privileged Access Management (PAM): A security mechanism that safeguards identities with special access or capabilities beyond regular users. Learn how this strategy works and when and might be used.
RBAC is an authorization approach that bases user access on a user’s role within an organization.
Data privacy regulations, enterprise security requirements, and customer experience concerns make it critical for organizations to control access to networks and data. The goal of access control measures such as RBAC is to keep unauthorized users from accessing sensitive information that they don’t need or shouldn’t be able to see, whether on-premises or cloud-based.
With RBAC, after a user is authenticated, RBAC determines what they can access based on their role within the organization or system. This role could be defined by job title, department, location, or the user’s specific responsibilities.
This strategy also makes it easier for administrators to manage which users have access to sensitive documents, records, and programs and allows them to set permissions based on a user's role instead of managing permissions for each user individually.
Additional benefits include:
RBAC and other access control mechanisms can also be used to grant or deny access to stored data based on consumer consent directives. This helps organizations adhere to data privacy regulations such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).
With RBAC, users in a system are only granted access to information that directly relates to their role in the system. Access is granted based on factors such as authority, responsibility, and competence. Using RBAC, employees can only access the information needed to effectively perform their jobs.
For example, an entry-level IT department employee doesn't need access to sensitive financial documents to perform their job, but a senior manager working in the sales department does.
All RBAC models contain the following core elements:
RBAC allows administrators to create, assign, and control access permissions for each role within a system.
Permissions specify what a user can access and what they can do in a system based on their role in the organization. For example, access permissions for confidential payroll documents might include:
After a role is defined, permissions are assigned accordingly.
Note that while often easy to implement, RBAC is a static form of authorization and cannot be easily updated when organization access policies change.
PBAC is an authorization approach that uses policies to determine user access privileges. Similar to how RBAC works, user roles and the associated permissions are reviewed to determine access, but additional attributes are also evaluated.
In large organizations, it’s not always possible to create roles for each combination of access privilege, and some things, such as sign-on time of day or location, cannot be captured using RBAC. With PBAC, access is not only determined by role and associated permissions, but also by a variety of other attributes, providing finer-grained control capabilities.
Additional benefits include:
Flexibility and speed: Administrators have greater control over the level of access and can add, remove, or edit permissions to a large number of users at once.
Adaptability: Policies can address a wide range of dynamic attributes and contextual controls, such as time or location-bound access restrictions.
Observability: Policies are human-readable and make it easier to view the relationship between identities and resources.
Administrators create access policies based on user roles and attributes and establish rules regarding these roles and attributes that dynamically determine access. Decisions are made according to context and risk when access is requested.
These policies also determine which permissions they have after they access the resource. They can determine whether users only have read-access, or whether they can make changes to the item or share it with others.
Policies can be based on a wide variety of different attributes, including:
Name
Organization
Job title
Security clearance
Owner
Creation date
File type
Time of day
Location of access
Threat level
PBAC gives administrators the flexibility to add fine-grained access control to online resources based on policies and rules. While more powerful and flexible, PBAC methods are also often more complex and expensive to implement than RBAC methods.
ABAC is an authorization approach that uses attributes, or characteristics, to dynamically determine user access privileges.
Similar to PBAC, administrators create access policies based on user roles and attributes and establish rules regarding these roles and attributes that dynamically determine access. Decisions are made according to context and risk when access is requested.
However, PBAC focuses on policies that grant or deny user access to a resource, and ABAC focuses on the specific attributes that influence the policies.
Benefits of using ABAC include:
Granularity: Because it uses attributes rather than roles to specify relationships between users and resources, administrators can create precisely targeted rules without needing to create additional roles.
Flexibility: Rather than modifying rules or creating new roles, administrators need only assign the relevant attributes to new users or resources.
Adaptability: Administrators can modify attributes and create context-sensitive rules to meet their needs.
With ABAC, when users attempt to access resources, policies enforce access decisions based on the attributes of the subject, resource, action, and environment involved.
Attributes can include:
Like PBAC, administrators have fine-grained access control to online resources based on policies and rules. And like PBAC, ABAC are more powerful and flexible than RBAC methods, ABAC methods are also often more complex and expensive to implement.
Important similarities and differences between the three authorization methods include:
RBAC grants access based on user roles, PBAC grants access based on policies, and ABAC grants access based on attributes, or characteristics, of the user, resource, and environment involved during sign-on.
Like PBAC, ABAC provides a more fine-grained, dynamic approach to authorization than RBAC, and is more complex and expensive to implement.
However, they also lead to better security, flexibility, improved customer experience, and better regulatory compliance than using RBAC, which is not designed to provide the same data access governance and authorization.
PBAC focuses on policies that grant or deny the end user access to a resource, and ABAC focuses on the specific attributes that influence the policies.
Privileged access management (PAM) uses a combination of people, processes, and technology to safeguard the capabilities of administrators and power users and defend against those who could sabotage a system with a privileged account.
Every technology system maintains security by allocating its users with different levels of access. The principle of least privilege (POLP) dictates that standards users should have the minimum access to the roles and permissions required to perform their work and nothing more.
Administrators have the power to make significant changes to the overall environment, such as adding or deleting users, upgrading and installing hardware and software, performing troubleshooting, backing up data, and managing network security.
Because administrators have the power to significantly alter a network environment, only the most trusted users should have access to these types of accounts. PAM is a form of role-based access control (RBAC), and an essential component of an overall Identity and Access Management (IAM) security protocol.
Privileged access users have access to highly sensitive and restricted parts of a technology system that are off-limits to standard users. If a person with malicious intent gets access to a privileged account, it could wreak havoc on a system, with major security and operational consequences.
The concept of PAM helps protect against this possibility by adding additional layers of protection to privileged accounts, and there are several different ways to use it:
Related
Resources
Start Today
See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.
Request a free demo
Thank you! Keep an eye on your inbox. We’ll be in touch soon.