Blog

Coarse-Grained and Fine-Grained Authorization

Oren Harel
October 31, 2019

One of the factors that distinguishes IAM solutions from each other is their granularity, or the amount of specificity each supports  in Authorization decisions. For example, a solution that bases decisions solely on users’ organizational positions (e. g., “Salespeople may access application X but not application Y”; has  less granularity than one that supports greater precision in permissions. ( e.g. “ All salespeople may read the sales data but only managers may add items to it and only the CEO is allowed to alter figures”). Enterprises generally prefer finer-grained solutions because they offer greater control in granting access rights than coarse-grained ones, but every company’s needs are unique.

Early Approaches to Fine-Grained Authorization

The first Authorization solutions were actually quite fine-grained, although that phrase did not exist at the time. The oldest approach to Authorization, Access Control Lists (ACLs) set access to resources per user (e.g., “Janet can access these applications; Steve can access those”) rather than by user type. ACLs made sense for small companies, especially ones where most directories could be accessed by most workers. However, they became outdated due to maintenance problems, such as the time required to deal with users access to growing numbers of resources. 

Role-Based Access Control (RBAC) appeared to solve this problem. By creating user roles and then assigning one or more roles to each user, RBAC became the standard Authorization solution in the 1990s, and is still used in many corporations. Roles can be either coarse-grained or fine-grained, depending on the amount of access a company wants to give posessers of a role, For example, consider two companies that employ Customer Service Representatives (CSRs). In one company, all CSRs, including managers, may see subscriber balances but not refund any fees. In the other, supervisors can both view balances and refund fees, whereas regular CSRs can only view balances, and only for their team related subscribers. The first company’s Authorization solution is coarse-grained, as it only allows one level of access to data while the second company’s fine-grained, supporting various levels of access to data. 

Initially RBAC seemed to meet companies’ needs, but soon problems emerged because RBAC does not scale well; maintaining roles becomes challenging as more resources are added to networks, causing  role explosion. It is very easy to create many roles that vary by just one or two permissions, and users accrue permissions as they change positions, reducing the overall security controls.

But coarse-grained RBAC has deeper issues. First, it can be too rigid: if a worker legitimately needs temporary access to resources that are “outside” their given role, coarse-grained RBAC has no simple way to allow it, thus obstructing legitimate business needs. Corse-grained RBAC can also increase your  risk exposure, because it supports only a static Authorization methodology that cannot limit access by any factor beyond role alone. It must therefore either grant access to a resource 24/7 or not at all. For example, it cannot be used to grant access only during your specified business hours or from only specific geographical locations. Thus, a company that uses coarse-grained RBAC may have to expose itself to unnecessary risk in order for employees or partners to do their jobs.  

Finally, coarse-grained solutions are not well applied in today’s business environment, which includes the cloud with its Authorization challenges, as well as changing business models, such as B2B, which may involve granting non-employees access to part of the organization assets. Companies facing these kind of challenges need a fine-grained answer to access needs.

Better Types of Authorization 

In response to these needs and others, fine-grained Authorization emerged, namely Attribute-Based Access Control (ABAC) and Policy-Based Access Control (PBAC)

Despite some differences between them all fine-grained access control solutions have a number of similarities. First, they all permit multiple criteria, such as department, job code, time of day, project status, server status, certification status, risk score, IP address, or even user location to be used as input for Authorization decisions.  Using varied criteria for Authorization increases the security of the IAM solution because it allows greater control of the circumstances under which permissions are granted. At the same time, a specific fine-grained policy may authorize a cross-company team to access resources normally outside of their usual responsibilities.

Fine-grained Authorization supports policies that enable decisions about access to both the data level and the field level, in addition to functionality whereas coarse-grained solutions only relate to functionality . We saw that in the examples of the CSRs and managers above -- granting rights to certain CSRs to see balance data can be done by comparing the team they are assigned to, with the team of the subscriber. Another practical example of fine-grained Authorization would be access to specific fields in customer records. With a fine-grained solution, a company could grant an account manager and a compliance officer permission to view a customer’s general information, such as their name, but allow only the compliance officer to see personal information such as the customer’s gender or address. 

Finally, fine-grained systems are ideal for today’s cloud-based business environments, as well as supporting B2B practices such as granting third parties limited access to part of the organizational assets . In both cases, it is essential to balance a company’s security needs with allowing controlled access to organizational  assets by unknown third-parties. In cases like these, only fine-grained Authorization solutions will do.

PBAC: The Best of the Fine-Grained Solutions

  • Of the fine-grained Authorization solutions, PBAC offers the clearest advantages. In addition to supporting a wide variety of flexible Authorization policies, Policy-Based Access Control:

  • Supports creating access control rules using natural language, making it easier to set and implement policies. This ease of use enables business owners to create policies that make business sense rather than the common practice of leaving Authorization to IT.

  • Reduces the amount of access decisions your organization must manage and govern, often by over 50%, supporting a much more efficient audit and compliance process.
  • Enables enterprises to fully embrace recent industry standards such as Zero Trust and CARTA.
  • Provides a virtualization layer between business and technology, enabling the access decisions to be managed independent of, or with limited reliance on, the underlying technology. This allows PBAC to support current access rules, and to streamline the transition to a modernized approach.

PlainID’s SmartAuthorization platform supports coarse-grained and fine-grained Authorization schemas. Although this blog has focused on fine-grained Authorization to show how it solves some of today’s toughest IAM issues, the PlainID solution itself  is granularity-neutral. We offer a comprehensive, unified approach, meeting all your access management needs with a single platform that supports defining, implementing, and controlling all authorization schemas, regardless of their granularity.  

Click here to arrange a consultation with the industry leader in PBAC solution design and implementation. 

Most popular posts