Access Control: RBAC, ABAC, ACL
2 min readAug 17, 2022
Access Control: RBAC, ABAC, ACL
Role-Based Access Control (RBAC)
- RBAC is an approach that restricts system access to authorized users based on the roles of individual users within an organization.
- RBAC defines roles with specific set of permissions and to which subjects are assigned, and the role determines which permission the system grants to the user.
- RBAC manages who has access to the resources and what they can do with the resources.
- With RBAC, organizations can decrease their efforts on managing access control because when they hire a new employee, the organization can just assign a role to that employee or switch role the roles of existing employees. Organizations can easily and quickly add and change roles.
Example
Permission control against a phonebook
Roles:
Editor
can read and write the phonebookReader
can only read the phonebookOwner
can read, write, delete the phonebook
Attribute-Based Access Control (ABAC)
- ABAC is an approach which evaluates attributes associated with the subject, operations, environment attributes.
- ABAC controls access based on attributes. It evaluates a boolean value according to attributes, and tells whether grant or deny the access.
Example
Only the employees whose ID is less than 100
and is in the library
can read the phonebook.
Access Control List (ACL)
- ACL is a table listing users’ permission assigned to each resources, called rules. It blocks unauthorized users and allows authorized users to access the resources.
- ACL tells that who can access which subject, and what actions they can perform against it.
RBAC vs. ABAC
RBAC vs. ACL
References
- What is Role-Based Access Control | RBAC vs ACL & ABAC | Imperva
- Role-based access control — Wikipedia
- [What is Role-Based Access Control (RBAC)? Definition from SearchSecurity (techtarget.com)](https://www.techtarget.com/searchsecurity/definition/role-based-access-control-RBAC#:~:text=Role-based access control (RBAC) is a method of,doesn’t pertain to them.)
- What is Access Control List | ACL Types & Linux vs Windows | Imperva
- Access-control list — Wikipedia
- Attribute-based access control — Wikipedia
- What is Access Control List (ACL)? — SearchSoftwareQuality (techtarget.com)