Identity Access Management & Governance

Role Based Access Control (RBAC) & Attribute Based Access Control (ABAC)

Role-Based vs. Attribute-Based

Role Based Access Control (RBAC) grants user access rights depending upon the role of user. User roles identify an individual's relationships to the enterprise (employee, contractor, faculty, staff, student, affiliate, non-affiliated, etc.) and the access permissions for responsibilities (Accounting Specialist, Nurse, Chief Human Resources Officer, etc.). RBAC is widely used in commercial and government organizations to facilitate a level of security with ease and efficiency. For example, organizations can use RBAC to give all doctors access to the Prescribers' Digital Reference (PDR) online.

Attribute Based Access Control (ABAC) provides the access control of roles with the additional granularity of significant attributes to fine-tune the access. The use of significant attributes permits variations in access without the creation of numerous role definitions. A user's Identity Profile generally contains attributes for identification, demographics, and job function. Attributes used for ABAC enhance the access to specifics beyond the role - Worksite Location, Top Secret clearance, Neurologist-NCC, Day of the Week)

Where is this headed?

Companies are moving towards ABAC for its dynamic capabilities, efficiency, and increased security - while reducing administrative burden. The National Cybersecurity Center of Excellence (NCCoE) addressed this challenge by developing an example ABAC reference model using commercial products that can function alongside those in your existing infrastructure. The NIST - ABAC Solution Guide includes relevant security characteristics, standards, and best practices from the National Institute of Standards and Technology (NIST) and other organizations. The guide demonstrates the implementation of standards-based cybersecurity technologies in the real world. It can save organizations research and proof of concept costs for mitigating risk through the use of context for access decisions.

What are the challenges?

Traditionally, granting or revoking access to IT systems requires a Security Administrator to enter information into an application. This method is inefficient and doesn't scale as organizations grow. Furthermore, this approach is not ideal for security or preserving privacy - as all administrators of a database have access to all its information. Consider a patient submitting a health insurance claim. A claims examiner needs to know just billing and diagnostic codes and a few pieces of demographic data to permit reimbursement. Interacting with the same system, the patient’s doctor needs to verify that the diagnosis and referral information is for the correct patient, but doesn't need to see the payment or address information. The patient needs access to the claim status, while the patient's employer only needs to know the number of claims submitted by the employee. The insurance company provides a single service - claims processing, but each user of the service has different access needs. An advanced method of access management would increase security and efficiency by seamlessly controlling access per user at a granular data level. Ideally, it would enable the appropriate permissions and limitations for the same information system for each user based on individual attributes, and allow for permissions to multiple systems to be managed by a single platform, without a heavy administrative burden.