Citrix Blogs

ABAC vs. RBAC: What’s the difference?

Two of the most common methods for securing access to business resources are attribute-based access control (ABAC) and role-based access control (RBAC). These types of access control models determine authorization based on who the user is and what resources they’re trying to access — but there are some key differences. While ABAC focuses on attributes like location and time of day, RBAC assigns permissions based specifically on the role of each user within an organization.

Let’s say your company is growing or onboarding new remote and hybrid workers. You have an increasing mix of new employees and third-party associates who will need access to your systems and resources. As part of this process, you need to define who has access to what, and when.

Choosing the right access control system in this scenario is critical. But how do you decide between ABAC and RBAC? Let’s review their differences and use cases.

What is RBAC?

As its name suggests, role-based access control grants permissions according to predefined roles. Applying an RBAC approach means user access permissions will depend on your role in the organization. For example, if your tasks require you to write and edit files, you will be assigned these permissions. Other users may have roles that require them to read files and not edit them.

Administrators set the parameters for which permissions should be granted for each role, and which users are assigned those permissions. According to the National Institute of Standards and Technology (NIST), which defines the criteria for access control based on user roles, permissions may be inherited through a role hierarchy and typically reflect the types of access people need to do their jobs.

So, what is the role of RBAC? It defines a group of people sharing a number of characteristics. They might belong to the same department or share the same location, seniority level, or tasks. Typically, the higher the position of a person in the organization, the more permissions are granted.

Once a new role is defined, the administrator assigns the relevant permissions, addressing the following criteria:

For example, a developer should have access to code but not payroll, and you can set different permission levels among developers. A code tester requires certain permissions that an entry-level developer doesn’t. A user can have more than one role, and multiple users may be assigned the same role.

How does RBAC work?

Before granting permissions, a user must validate their credentials. There are two basic aspects to access security: authentication and authorization.

Authentication

Authentication is the action of verifying that a user is who they say they are. It’s the first stage of any security process. Some authentication methods commonly used may include:

When systems require more than one factor before giving access, it’s called multi-factor authentication (MFA). This is a common requirement for zero trust security models.

Authorization

The next step in the security process is authorization. This is the action of granting permission to the user to access a specific resource, application, or function. In a secure system, authorization always follows authentication. In an RBAC model, authorization is granted only according to the users’ roles.  

Types of RBAC models

The NIST classifies the RBAC models by four types: flat, hierarchical, constrained, and symmetric:

What is ABAC?

Attribute-based access control (ABAC) grants access based on a set of predefined characteristics called attributes. Administrators set permissions according to different types of user attributes related to the environment or resources being accessed.

ABAC offers the possibility of controlling more variables than RBAC, and it can prevent the risk of an attacker getting access via stolen credentials. ABAC enables administrators to set permissions based on a combination of attributes. In this model, you can give the same person different levels of permissions based on their location or time of login.

The ABAC model combines different elements to grant permission levels:

How does ABAC work?

Once administrators answer those questions, they define relationships and permissions by if/then statements. For instance, if a user is a department head, that person may read and write files. If a user works in accounting, they can access accounting files. The if/then statement may also relate to the user’s location (no logins from outside the office) or be time-related (no access outside office hours).

RBAC vs. ABAC benefits and considerations

RBAC and ABAC are methods for controlling access to resources. Each one, however, comes with its benefits and disadvantages.

ABAC Pros

ABAC Cons

RBAC Pros

RBAC Cons

When to use RBAC or ABAC

After exploring the differences between the two models, you may wonder which one is best for your organization. Here are five common use cases for ABAC and RBAC:

Companies often combine RBAC and ABAC models to cover multiple use cases. This is called a hybrid system, and it grants high-level access accomplished through RBAC along with granular control achieved through ABAC. However, it’s worth noting that sometimes neither RBAC or ABAC can accurately provide a comprehensive secure access model for your organization’s needs.

Go Beyond ABAC and RBAC with Citrix

When it comes to cybersecurity, choosing the right access management tool is key. And while ABAC and RBAC are both popular options, there’s an even better way to protect access. By delivering zero trust network access (ZTNA) to corporate applications, you can easily support the hybrid workforce — without exposing your organizations to threats.

Interested in learning more? See how Citrix Secure Private Access can help keep your apps and sensitive data secure.

Exit mobile version