An introduction to data access management methodologies – ABAC, FGAC and RBAC


Data security and access management are highly technical topics that have, largely, been left to the Chief Information Security Officer and his team. Yet, with PoPIA in full force, more stakeholders have a need to understand the basic access control approaches available to them

Photo from pxfuel

What is RBAC?

Role-based access control (RBAC) restricts network or system access based on a person or account’s role within an organisation. LDAP is a commonly used protocol to implement and RBAC methodology.

RBAC is intended to ensure that employees only access systems that are required for them to do their jobs. Access can be based on factors such as authority, responsibility and job competency, and access to data resources can be limited to specific tasks, such as the ability to view, create, modify or delete a file.

RBAC is popular as it reduces the need to assign privileges to individuals.

However, by its nature RBAC has some limitations that have an impact on its use to implement protection of sensitive information, particularly in large, complex organisations. Most critically, RBAC is applied to users, not to objects or operations, and, while access can be restricted to certain systems, RBAC does not limit access to data within systems.

What is ABAC?

Atribute-based access control (ABAC) is a model that has evolved from RBAC that addresses some of these shortcomings. ABAC grants access based on an evaluation of the characteristics of attributes, rather than roles.

A central data access policy defines which combination of user (role) and object attrributes are required for access.

The key benefit of ABAC is that it can be used to define far more complex access polices, providing protection to individual data elements – such as ID Number, Credit Score, or HIV Status. Data is protected at a row level.

However, this flexibility can be hard to manage without a centralised dynamic access management platform that can identify sensitive data and apply policies dynamically, as discussed in How to Achieve Dynamic Row-Level Security with ABAC

What is FGAC?

Fine-grained access control (FGAC) is another term for ABAC as it speaks the ability of the ABAC methodology to provide fine-grained access. RBAC can also be thought of as course-grained.

Through our partnership with Okera, Master Data Management provides a simple approach to provide fine-grained access control for your data analytics environments, on-premise and in the cloud.

Watch the Okera webinar on-demand Scaling Access Control for the Enterprise: The Power of ABAC

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.