Blog Blog

    Fine-Grained Authorization and Other Key IAM Terms

    Gal Helemski February 20, 2019
    Fine-Grained Authorization and Other Key IAM Terms

    The world of Identity and Access Management (IAM) has a language of its own which is continually evolving as new technologies emerge and security threats change.

    While the list of “must-know” terms is too long to cover in a single blog, here are some to incorporate into your vocabulary as you evaluate which IAM solution is best for your organization.


    1. Access Management

    The policies used to determine which users can access which resources (e.g., files, networks, applications, fields on a Web page). The main access management solutions used today are User Access Lists, Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Policy-Based Access Control (PBAC).

    2. Access Governance

    Access Governance involves not only setting policy but adding the visibility to see which resources each user has access to in order to ensure that access rights are actually effective. Additionally, as the Identity Management Institute explains, access governance is concerned with “managing risks and ensuring compliance in a consistent, efficient and effective manner” 

    3. User Access Lists

    UAL are lists that specify which users can access which resources (e.g., files, network, applications, fields on Web page). Requires either a list of users per resource and/or a list of resources per user.

    4. Authorization

    A permission to access a resource (e.g., file, network, application, a field on Web page, etc.) to a user whose identity has already been authenticated, Authorization is an important business decision that management should make but all too often, it is left to a company’s IT department because it is very technical.

    5. Authentication

    Validating that someone is who they claim to be. Usually requires a username and a password; may require a biometric characteristic or the correct answer to a question. Does not authorize access to any resources, only validates identity.

    6. Attributes

    Characteristics of a user or user’s environment that are relevant to determining access rights (e.g., job, location, time of day). Used in ABAC and PBAC.

    Read More About Attributes: 3 Types of Attributes IAM Professionals Need to  Understand
    7. RBAC (Role-Based Access Control) 

    Authorization solution in which roles are created with specific permissions per resource (e.g., file, network, application, a field on Web page),and users are matched to one or more roles. Because it breaks the user population into roles and bases all access rights only on these roles, RBAC’s authorization is said to be “coarse-grained,” as opposed to the “fine-grained” access control permitted by ABAC and PBAC.

    8. ABAC (Attribute-Based Access Control)

    Authorization solution in which a user’s position in the company is only one factor for determining their access rights; other attributes could be user location and time of day. ABAC solutions generally use Boolean logic as well as XACML. Because it supports making decisions based on more than one factor, ABAC is a “fine-grained” approach to Authorization .

    9. PBAC (Policy-Based Access Control)

    Authorization solution in which roles and attributes are combined with logic to create flexible, dynamic control policies. Like ABAC, it uses a number of attributes to determine access rights, so it also provides “fine-grained” access control. PBAC is designed to support all manners of access devices and is generally considered the most flexible Authorization solution.

    10. Fine-Grained Authorization 

    Approach to Authorization that has a high degree of specificity and in which access rights may vary by conditions at run-time. For example, a fine-grained Authorization solution might grant a salesperson in a certain region, working on a certain project, access to specific files during work hours via a secure network but never after hours or via unsecured WiFi.

    11. XACML (eXtensible Access Control Markup Language)

    Standards based language used to define a fine-grained, attribute-based access control policy. Generally used with ABAC solutions, but can be used with RBAC as well.

    12. OAUTH (Open Authorization)

    Open standard used as a way for Internet users to grant one website or application access to their information on another website without transmitting the password for the second site.

    13. Role explosion

    Main problem in RBAC implementations. “Role explosion” occurs when there are many similar but slightly different roles being administered by an IAM solution. For example, a company can create any number of roles whose access rights differ for only one or two folders. As the number of resources and roles grows, maintenance time and effort will increase significantly.

    14. Access creep

    Tendency for users to acquire too many permissions the longer they work at a company, because they do not lose previous permissions as they switch to new positions. For example, a programmer will gain new permissions if they becomes a salesperson without necessarily losing their old permissions. If this occurs by inertia, not design, “access creep” has occurred.  

    15. EAM (Externalized Authorization Management)

    Access management solution for enterprise systems that enables a much more agile way to provide authorization across the entire enterprise. Given the complexity of IAM, especially for growing companies, it’s no wonder that more and more business leaders are using EAMs to create Authorization solutions for their companies.

    16. Zero Trust 

    A cyber security framework that treats every user and every access request as potentially dangerous. Zero trust solutions use a trust engine that quantifies the riskiness of granting each access request, based on stored data. A separate policy engine determines whether the level of risk returned by the trust engine is acceptable or not, with the solution’s enforcement component implementing the decision.

    Read About The Evolution of Authorization

    Subscribe to our blog Posts