It was a quiet night in the city, around midnight on a weekday. I was part of the change team, and one of the few people on the office floor. This was of an Australian banks Identity and Access Management (IAM) Operations, within the Cyber Security department at the time. For the Operations team, it was a routine task: taking the Identity Management system offline to deploy and onboard new roles into the system. That night, we were onboarding about 50 roles. These roles were a key part of the banks Role-Based Access Control (RBAC) system. With the bank modernizing its operations and regularly introducing new applications, this process had become a consistent part of our work, typically involving the addition of around 200 roles each month. At the bank, we used a lot of RBAC policies to grant and revoke access to the banks workforce. It got me thinking about RBAC and its problem with role explosion, and if Attribute-Based Access Control (ABAC) was a better alternative. In this blog, we will explore different approaches to enforcing RBAC and ABAC in an enterprise context. We’ll examine what drives the business need to choose between RBAC and ABAC, the various architectural deployments of these access control methods, and the implications of their selection. Defining authorizations (i.e. who should have access to what) is straightforward, though resource-intensive. With the expertise of your Business Analysts, you can map out user profiles and define the resources each should access, aligning them with organizational needs and industry standards. However, the real challenge lies in consistently enforcing these access control policies across all applications and services with confidence and reliability, while also ensuring they are properly maintained and auditable. While there are multiple methodologies for implementing access control, the two most popular methods in the industry for enforcing access control are RBAC and ABAC. RBAC is a method of granting users access to resources based on predefined roles, such as auditor or admin, while ABAC provides access based on user attributes, such as location and department. Let us take a look at some of the sample policies that resemble whats actually used in practice at the bank:
