Data security and access management are highly technical topics that have, largely, been left to the Chief Information Security Officer and his team. Yet, with PoPIA in full force, more stakeholders have a need to understand the basic access control approaches available to them
Photo from pxfuel
What is RBAC?
Role-based access control (RBAC) restricts network or system access based on a person or account’s role within an organisation. LDAP is a commonly used protocol to implement and RBAC methodology.
RBAC is intended to ensure that employees only access systems that are required for them to do their jobs. Access can be based on factors such as authority, responsibility and job competency, and access to data resources can be limited to specific tasks, such as the ability to view, create, modify or delete a file.
RBAC is popular as it reduces the need to assign privileges to individuals.
However, by its nature RBAC has some limitations that have an impact on its use to implement protection of sensitive information, particularly in large, complex organisations. Most critically, RBAC is applied to users, not to objects or operations, and, while access can be restricted to certain systems, RBAC does not limit access to data within systems.
What is ABAC?
Atribute-based access control (ABAC) is a model that has evolved from RBAC that addresses some of these shortcomings. ABAC grants access based on an evaluation of the characteristics of attributes, rather than roles.
A central data access policy defines which combination of user (role) and object attrributes are required for access.
The key benefit of ABAC is that it can be used to define far more complex access polices, providing protection to individual data elements – such as ID Number, Credit Score, or HIV Status. Data is protected at a row level.
However, this flexibility can be hard to manage without a centralised dynamic access management platform that can identify sensitive data and apply policies dynamically, as discussed in How to Achieve Dynamic Row-Level Security with ABAC
What is FGAC?
Fine-grained access control (FGAC) is another term for ABAC as it speaks the ability of the ABAC methodology to provide fine-grained access. RBAC can also be thought of as course-grained.
Through our partnership with Okera, Master Data Management provides a simple approach to provide fine-grained access control for your data analytics environments, on-premise and in the cloud.