Access Control: RBAC, ABAC, ACL

2 min readAug 17, 2022

--

Access Control: RBAC, ABAC, ACL

Role-Based Access Control (RBAC)

RBAC is an approach that restricts system access to authorized users based on the roles of individual users within an organization.
RBAC defines roles with specific set of permissions and to which subjects are assigned, and the role determines which permission the system grants to the user.
RBAC manages who has access to the resources and what they can do with the resources.
With RBAC, organizations can decrease their efforts on managing access control because when they hire a new employee, the organization can just assign a role to that employee or switch role the roles of existing employees. Organizations can easily and quickly add and change roles.

Example

Permission control against a phonebook

RBAC Example

Roles:

Editor can read and write the phonebook
Reader can only read the phonebook
Owner can read, write, delete the phonebook

Attribute-Based Access Control (ABAC)

ABAC is an approach which evaluates attributes associated with the subject, operations, environment attributes.
ABAC controls access based on attributes. It evaluates a boolean value according to attributes, and tells whether grant or deny the access.

Example

Only the employees whose ID is less than 100 and is in the library can read the phonebook.

Access Control List (ACL)

ACL is a table listing users’ permission assigned to each resources, called rules. It blocks unauthorized users and allows authorized users to access the resources.
ACL tells that who can access which subject, and what actions they can perform against it.

RBAC vs. ABAC

RBAC vs. ABAC

RBAC vs. ACL

RBAC vs. ACL

References

Tony Huang

Written by Tony Huang

Help
Status
About
Careers
Press
Blog
Privacy
Terms
Text to speech
Teams