By

Gary Allemann

, , ,

An introduction to data access management methodologies – ABAC, FGAC and RBAC

Discover key data access control methods – RBAC, ABAC, and FGAC. Learn how these methodologies enhance data security in the age of PoPIA compliance.


ABAC, FGAC and RBAC security aproaches

Data security and access management are highly technical topics that have, largely, been left to the Chief Information Security Officer and his team. Yet, with PoPIA in full force, more stakeholders have a need to understand the basic access control approaches available to them

  1. What is RBAC?
  2. What is ABAC?
  3. What is FGAC?
  4. The Difference between ABAC and RBAC – an example
    1. RBAC (Role-Based Access Control):
    2. ABAC (Attribute-Based Access Control):

What is RBAC?

Role-based access control (RBAC) restricts network or system access based on a person or account’s role within an organisation. LDAP is a commonly used protocol to implement an RBAC methodology.

RBAC is intended to ensure that employees only access systems that are required for them to do their jobs. Access can be based on factors such as authority, responsibility and job competency, and access to data resources can be limited to specific tasks, such as the ability to view, create, modify or delete a file.

RBAC is popular as it reduces the need to assign privileges to individuals.

However, by its nature, RBAC has some limitations that have an impact on its use to implement protection of sensitive information, particularly in large, complex organisations. Most critically, RBAC is applied to users, not to objects or operations, and, while access can be restricted to certain systems, RBAC does not limit access to data within systems.

What is ABAC?

Atribute-based access control (ABAC) is a model that has evolved from RBAC that addresses some of these shortcomings. ABAC grants access based on an evaluation of the characteristics of attributes, rather than roles.

A central data access policy defines which combination of the user (role) and object attributes are required for access.

The key benefit of ABAC is that it can be used to define far more complex access policies, providing protection to individual data elements – such as ID Number, Credit Score, or HIV Status. Data is protected at a row level.

However, this flexibility can be hard to manage without a centralised dynamic access management platform that can identify sensitive data and apply policies dynamically, as discussed in How to Achieve Dynamic Row-Level Security with ABAC

What is FGAC?

Fine-grained access control (FGAC) is another term for ABAC as it speaks to the ability of the ABAC methodology to provide fine-grained access. RBAC can also be thought of as course-grained.

The Difference between ABAC and RBAC – an example

Imagine a company with a document management system containing sensitive financial data. Both RBAC and ABAC can be used to control access to these documents, but they do it in fundamentally different ways:

RBAC (Role-Based Access Control):

  • The IT team defines roles like “Accounting Manager” and “Intern.”
  • Each role is assigned specific permissions to access documents. For instance, “Accounting Manager” can view and edit all financial documents, while “Intern” can only view basic reports.
  • A new employee, John, is assigned the “Intern” role. He can access the basic reports he needs but cannot edit sensitive documents.

ABAC (Attribute-Based Access Control):

  • The system considers various attributes for access decisions. These can include:
    • User Attributes: John’s department (Finance), job title (Intern), and security clearance level.
    • Resource Attributes: The document type (Financial Report – Confidential), creation date, and project association.
    • Environmental Attributes: Time of day and location of access attempt (trying to access from home after hours).
  • Based on these attributes, ABAC policies are defined. For example, a policy might say “Allow users from the Finance department with a minimum security clearance of Level 2 to view documents classified as ‘Financial Report – Confidential’ during business hours from the office network.”
  • John, even though assigned an “Intern” role, can still view the confidential report during business hours from the office network because his department and security clearance meet the specific requirements for that document. However, trying to access the same report from home after hours would be denied.

Here’s the key difference: RBAC relies on predefined roles, while ABAC makes access decisions based on a combination of real-time attributes. This allows ABAC to be more granular and adaptable to specific situations.

Through our partnerships with Pathlock and Satori, Master Data Management provides simple, code-free approaches to extend your existing RBAC IAM systems to ensure fine-grained access control and data protection for your critical business applications and data analytics environments, on-premise and in the cloud.

Photo from pxfuel

Tags:

, , ,

Response to “An introduction to data access management methodologies – ABAC, FGAC and RBAC”

  1. Major trends that CIOs and CDOs must plan for in 2023

    […] with hybrid- or multi-cloud solutions. This can be simplified through the use of centralised, fine-grained access policies that can be easily deployed across […]

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related posts

Discover more from Data Quality Matters

Subscribe now to keep reading and get our new posts in your email.

Continue reading