Blog

IAM managers and architects that are sick of managing thousands of roles for hundreds of users need a better way to provide Authorization to enterprise assets. Traditional, Role Based Access Control approaches are failing, bloated with legacy users, and vulnerable to ‘role explosion’. Something new is needed, that allows specific users access to what they need when they need it.

The first solution that’s often considered is Attribute Based Access Control (ABAC). ABAC is a fine-grained access management approach whereby the decision to approve or deny an access request to specific information is based on defined rules that have been assigned to the user, action, resource, or environment.

For example, a bank teller would need to be granted access to a requesting client’s account records. This ought to happen from the branch IP address, during the bank’s regular daily work hours, when supplied with the identification of the client and their account number.

In order to allow access from other branches or by telephone, other security processes may need to be completed beforehand. Usually, these processes consist of a series of questions specific to the client, and perhaps they would need to instead speak with a personal banker, who holds a higher security clearance level role.

Sounds great, right? Well, almost.

The Problem with ABAC

Even though Attribute Based Access Control may seem the obvious choice, it does have its own issues:

Problem 1: IT teams are required for deployment and system maintenance

• As the quantity of attributes continues to grow when adopting an Attribute Based Access Control approach, so does the complexity to define each of the attributes associated with an individual user, thus increasing the difficulty in managing access management for an entire enterprise.

Problem 2: Business teams are isolated, with limited visibility

• Placed out of loop, business leaders are highly dependent on the IT department to implement the key authorization decisions they are making. This creates a greater distance between those in leadership roles and those in IT.

Problem 3: ABAC can't be coded in plain language

To create and edit attributes with ABAC, you’ll need to be an expert in XACML, an extremely complex, dated language. This makes development a very time-consuming process.

Understanding the Advantages of PBAC

The answer to these issues? A new approach called ‘Policy Based Access Control’ (PBAC). PBAC is an approach in which roles and attributes are combined with logic to create flexible, dynamic control policies. Like ABAC, it uses a number of attributes to determine access rights, so it also provides “fine-grained” access control. PBAC is designed to support all manners of access devices and is generally considered the most flexible Authorization solution.

Other advantages of PBAC include:

Transparency and visibility for the business team

• By simplifying the authorization procedures, management no longer has to just stay on the sidelines overseeing the Identity and Access Management processes. Business leaders now have the full capacity to ensure that business logic is applied securely, to not only control access but, also to evaluate what information was accessed after entry was granted to the system. PBAC’s capabilities ensure that sharing resources and data is simple and safe as suppliers, freelancers and collaborators can be given the access needed to specific files under pre-assigned constraints including, for example, a limited time period.

• Through an easy to use interface, managers are placed firmly in control of implementing and changing authorization policies in real-time. By quickly and efficiently defining access permissions and the parameters, business leaders are able to decide themselves who can have access, when access is granted and from where, without the need of vast IT knowledge, creating standardized policies across the organization.

Flexibility to be used as a Fine Grained or Coarse Grained Solution

• PlainID’s dynamic PBAC system combines the methodologies of both Role Based and Attribute Based Access Control systems. Both statements such as “All employees can have access to completed past campaigns” and “Only the employees that work on specific client campaigns can have access to those clients’ completed past campaigns” are supported. Roles are used to help set policies but, without the traditional restriction of applied resource rights and instead trust in logic to define the policies. Thousands of rules can be condensed into just hundreds of policies about the users and what information they have the clearance to access, which are far easier to oversee and maintain.

Policy Based Access Control simplifies the identity and authorization process by applying business logic to the access management approach.

[Click here to schedule a demo with a member of the PlainID team.]