Blog

PBAC vs RBAC: Why Role Based Access Control is not Enough

Gal Helemski
February 23, 2020

Authorization, the process of determining who can access what, has been evolving steadily since the 1980s. Today, flexible, dynamic Policy Based Access Control platforms help secure an ever increasing volume of data against ever evolving cyber-threats. 

The Evolution of Authorization

Role Based Access Control (RBAC):

RBAC was introduced in 1992, to address inadequacies in computer security. RBAC creates roles for every organizational functionality, giving each role permission to access certain resources, and linking users to roles.

Roles give RBAC flexibility that ACL lacks. Changes to a role’s permissions automatically update permissions of each user with that role. If a user changes their role, their permissions change with them.

 But RBAC still has many drawbacks, among them:

  • Coarse Grained and Static: RBAC limits authorization based only on a user’s role, ignoring other salient attributes, such as time, location, or device. It has fixed access rights, with no provision for temporary changes (e.g.: a worker in one department temporarily assigned to another).
  • Role Explosion: As companies expand, many similar but slightly different roles are defined, often by the thousands or tens of thousands. It may be hard to tell how they differ, or how to assign them correctly. Also, it may be hard to track roles of users who change roles or leave, and unneeded permissions may not be revoked, creating a security risk and also compliance and audit issues.  

RBAC can’t be amended quickly in emergencies, can’t grant permissions based on time or location, and users may be left with unnecessary permissions. These problems create serious security issues, making compliance with GDPR and other security regulations difficult.

Policy Based Access Control (PBAC):

PBAC has the flexibility to be Fine Grained or Coarse Grained: PBAC supports environmental and contextual controls, so policies can be set to grant access to resources at certain times and from certain locations and even evaluate relationships between identities and resources. Policies can be adjusted quickly, and set for given periods of time (for example in response to a breach or other emergency). Groups of users can be added, removed, or amended with ease and obsolete permissions revoked with a click.

PBAC can be coded in any language:  PlainID’s Policy Manager has a flexible architecture so you can not only code in the language your company prefers, but it also has an easy to use GUI, for quick writing, reviewing, testing and implementing of even the most complex access policies. For example, XACML, a standardized Attribute Based Access Control language, requires specific coding skills and can’t be used or understood by people who aren’t experienced programmers.

PBAC gives transparency and visibility: Visualising the relationship between the identities and the resources is the first step in setting a strong access management policy. PBAC gives administrators a clear view of who is authorized to do what, across all organizational assets. It also provides full and transparent visibility for compliance with GDPR and other relevant regulations. As a result of its many strengths, PBAC closes security gaps left by RBAC, enhances your cybersecurity and delivers a proactive response to Data and Privacy regulation compliance.

To Wrap it Up:

Companies that haven’t solved for access control are not only putting themselves at risk -- they are also suboptimizing every dollar of their cybersecurity spend.”- Richard Bird, Forbes Technology Council

RBAC has dominated access control since the 1990’s, but it doesn’t suit the needs of today’s fast paced, diverse, cloud-based environments.

By contrast, PlainID’s PBAC platforms offer contextual, fine-grained access control, comprehensive lifecycle management, zero trust architecture, and total visibility, together with an easy to use GUI for writing and managing complex access policies, without code. PBAC offers a proactive approach to compliance and gives the best access control for cybersecurity needs. All this, without interrupting the workflow of legitimate users.

Want to know more? Click here to get our whitepaper: 

Download the Whitepaper: PBAC vs RBAC: The Truth

Most popular posts