Identity and Access Management (IAM) solutions vary in their approach to Authorization, with the preferred method often being Role-Based Access Control (RBAC). RBAC involves defining the roles a company needs, specifying permissions per role, and then matching users to roles. Although logical, RBAC has some limitations. Firstly, whenever a company adds a resource, access rights for that resource must be defined per role, making RBAC difficult to maintain. This problem is compounded because companies often create many very detailed roles, each differing by access rights to only one or two resources. As a result of the great number of technical details involved, IT is usually responsible for Authorization in companies that use RBAC. This makes management dependent on IT when implementing an important business decision.
Lastly, although RBAC solutions are detailed, they are static and coarse-grained, ignoring factors such as time or location. As more companies support access via smartphones and the cloud, experts like Avi Chesla note, “Today, network access must be dynamic and fluid, supporting identity and application-based use cases.”
Beyond RBAC: ABAC and PBAC
Attribute-Based Access Control (ABAC) goes beyond RBAC, addressing many of its limitations. ABAC uses fine-grained access control, considering a number of user attributes, including location or time of request to determine access rights.
ABAC solutions generally use Boolean logic. This lets ABAC solutions effectively define access policy without using roles. For example, a company can define a group called “Management” and allow only its members to access certain files. With RBAC, this would require coding
access rules about those files for every role. The difference in maintenance between the two approaches adds up quickly. Additionally, by not using roles, ABAC avoids “role explosion.”, but where there is a reduction in the number of roles that need to be administered, there is an inversely proportional number of rules that now need to be managed (rule explosion).
Policy-Based Access Control (PBAC) is another step forward, combining the strengths of RBAC and ABAC. Like RBAC, it has roles, but they are only one factor in setting policies and do not require specific permission rights per resource as they do in an RBAC system. This simplifies creation and maintenance of Authorization policies.
Like ABAC, PBAC uses logic to define policies. PBAC policies can be altered or implemented in run-time, making it the most flexible solution. Using a graphical user interface, management interact with their policies via a tailored administration workflow, rather than being dependent on IT. Thus, PBAC not only simplifies Authorization but returns IAM policy making to the right hands - management’s.
PBAC is especially useful when a company wants to give third-parties access to some resources under specific circumstances, such as B2B delegation or use of a company portal.
B2B delegation: A company may want to let one or more other companies consume some services or data. For example, ABC Pharmaceuticals wants to let doctors and other staff at different hospitals view certain data. Using PBAC, ABC could define a role for each group of hospital personnel and authorize each to access specific data.
Use of a company portal: Companies with portals (e.g., supplier portals, partner portals) need to share multiple types of content to multiple users. For example, a defense contractor could use PBAC to manage access rights. This would allow different suppliers or customers to sell or purchase different products, depending on their Authorizations. PBAC is ideal for defining access rights to portals by date or time. For example, access to a press release on a portal could be timed to support a product launch. When the time comes, access is granted automatically to authorized users and guests. If needed, the time can be changed, even on-the-fly.
In all use cases, access policy is a business function, not an IT task. PBAC makes it possible for the manager in charge to build the policy via a user interface, based on data from relevant stakeholders. The policy is then tested and deployed. Currently available software makes it possible to design and implement a complete Authorization solution without writing any code. Such software makes it possible for -business risk and control owners to ensure that access control follows prescribed business policies and regulations..
Fine-Grained Access Control Fits Business Leaders’ Needs
Fine-grained access control enables business leaders to quickly design and implement Authorization plans. The flexibility of PBAC solutions, as well as their simplicity, makes them ideal for today’s rapidly changing business environment. PBAC enables management to ensure that Authorization policies follow business logic without tying up IT’s time and resources.
PBAC also makes it possible to safely and efficiently allow authorized non-employees, such as suppliers, access to a company network or database. Combined, these capabilities make PBAC the best and most sustainable solution for controlled access to company resources, allowing the businesses to concentrate on what is important and take advantage of sharing data and resources due to greater interconnectivity and collaboration with business partners without increasing the risk of data breach.