7 November 2019
IAM managers and architects that are sick of managing thousands of roles for hundreds of users need a better way to provide Authorization to enterprise assets. Traditional, Role Based Access Control approaches are failing, bloated with legacy users, and vulnerable to ‘role explosion’. Something new is needed, that allows specific users access to what they need when they need it.
The first solution that’s often considered is Attribute Based Access Control (ABAC). ABAC is a fine-grained access management approach whereby the decision to approve or deny an access request to specific information is based on defined rules that have been assigned to the user, action, resource, or environment.
For example, a bank teller would need to be granted access to a requesting client’s account records. This ought to happen from the branch IP address, during the bank’s regular daily work hours, when supplied with the identification of the client and their account number.
In order to allow access from other branches or by telephone, other security processes may need to be completed beforehand. Usually, these processes consist of a series of questions specific to the client, and perhaps they would need to instead speak with a personal banker, who holds a higher security clearance level role.
Sounds great, right? Well, almost.
The Problem with ABAC
Even though Attribute Based Access Control may seem the obvious choice, it does have its own issues:
Problem 1: IT teams are required for deployment and system maintenance
Problem 2: Business teams are isolated, with limited visibility
Problem 3: ABAC can't be coded in plain language
To create and edit attributes with ABAC, you’ll need to be an expert in XACML, an extremely complex, dated language. This makes development a very time-consuming process.
Understanding the Advantages of PBAC
The answer to these issues? A new approach called ‘Policy Based Access Control’ (PBAC). PBAC is an approach in which roles and attributes are combined with logic to create flexible, dynamic control policies. Like ABAC, it uses a number of attributes to determine access rights, so it also provides “fine-grained” access control. PBAC is designed to support all manners of access devices and is generally considered the most flexible Authorization solution.
Other advantages of PBAC include:
Transparency and visibility for the business team
Flexibility to be used as a Fine Grained or Coarse Grained Solution
Policy Based Access Control simplifies the identity and authorization process by applying business logic to the access management approach.
[Click here to schedule a demo with a member of the PlainID team.]
© All Rights Reserved 2020 PlainID