RBAC vs ABAC vs PBAC: Access Control Uses & Definitions

RBAC, ABAC, and PBAC are all access controls that can help keep certain information or systems restricted to those based on user, environment, role and more.

What do RBAC, ABAC and PBAC stand for? PBAC stands for Policy Based Access Control, ABAC stands for Attribute-Based Access Control, and PBAC stands for Policy Based Access Control.

What Is Access Control?

Access control is using security measures to protect system resources against unauthorized access. Because such protection is foundational to nearly any security framework, regulatory compliance standard, and basic security strategy, it is often one of the paramount security technologies a company will implement.

Access control can include several different components, but a few of the most important are:

  • Authentication: Authentication is verifying user presence and identity by comparing provided credentials against a digital identity contained within a system. Often the first line of defense in access control setups, authentication is responsible for determining that a user is who they say they are and that they are present at the point of verification.
  • Authorization: Authorization is the (often continuing) determination of a user’s privileges and ability to access system resources. These privileges include access to data (including the ability to read, modify, or execute files), modifying system services, or changing system configurations.
  • Identity: At the heart of both authentication and authorization are the use of digital identities for users. These identities contain critical business operations and security information, including authentication credentials or data related to that user’s role in the company.

Authentication systems will use credentials for that identity to verify users, and authorization services will rely on that identity to determine system privileges.

The terminology can be flexible, however. These combined services will sometimes be called Identity and Access Management (IAM). Additionally, experts often refer to system authorization methods when referring to access control.

What Are Different Types of Access Control?

The central goal of access control is to ensure that unauthorized users do not access restricted resources while also allowing authorized users to do what they need to do within the confines of their job, position, and privileges. Thus, access control can provide a complex and challenging exercise for security professionals to balance these priorities.

With that fact in mind, there are several methods for implementing access controls, each built around specific needs and philosophies of authorization. These include:

Access Control List (ACL)

Access control lists are the meat and potatoes of access controls. An ACL is, in its simplest form, a list of users that can access system resources. Anyone on the list can access the designated resources and no one else.

This simple approach is easy to deploy for simple services and can provide some excellent security in a black-and-white practice. ACLs also often serve in tandem with other forms of access control. However, as a standalone method, ACLs are also rigid and hard to adapt to more complex technical and organizational structures.

Role-Based Access Control (RBAC)

Perhaps the most well-known form of access control, RBAC relies on an organizational hierarchy or structure to help define privileges in a technical system. This approach has several critical benefits, including its ability to conform to principles of least privilege and its clear adherence to the structure of a business–that is, it can support existing role structures rather than relying on the organization to change to support access control.

Because organizational roles and responsibilities differ between enterprises, there are several subtypes of RBAC. The National Institute of Standards and Technology defines these four subtypes as an increasingly restricted access structure:

  • Flat: Every employee in an organization has at least one role that aligns with a specific level of access.
  • Hierarchical: Role access is defined by seniority in that, as employees move up the hierarchy (through promotion or otherwise), they gain new access privileges while retaining old ones. That is, rules for access at the top of the hierarchy contain the privileges of the roles on the lower levels.
  • Constrained: Includes separation of duties. So, RBAC systems could functionally be a flat systems but include duty-based privileges for roles that are otherwise the same.
  • Symmetrical: Symmetrical systems include regular reviews of role-based privileges and changes in access permissions based on changes to roles or other security issues.

Attribute-Based Access Control (ABAC)

ABAC is a more specialized and fine-grained form of access control. Unlike RBAC, which focuses on the user’s role, ABAC collects data points from several contexts to determine access.

Some of these contexts include:

  • User Attributes: User attributes are those inherent to the user, including their department, business role, job, or clearance level.
  • Environmental Attributes: Environmental attributes are inherent in an access session’s context, including time or location of access or something related to the user’s behavior.
  • Resource Attributes: Resource attributes are those inherent to the resource accessed. This can include regulatory requirements for documents (HIPAA, PCI DSS, etc.), classification, or sensitivity to business operations.
  • Action Attributes: Action attributes are those inherent to the actions the user wants to take with the resource–reading, writing, copying, deleting, executing, etc.

Because there are so many different criteria for access in an ABAC system, control can get fine-tuned across multiple contexts. Furthermore, these contexts can provide a dynamic approach to access–that is, as the context changes (even from hour to hour), access privileges will also change.

The flip side is that, with so many different variables in play, ABAC can quickly become costly and challenging to implement without expert planning.

Policy-Based Access Control (PBAC)

PBAC sites are somewhere between RBAC and ABAC in terms of complexity. As the name suggests, PBAC emphasizes access policies, which can include governance over many of the same attributes as an RBAC or ABAC setup. PBAC focuses on the overarching policies that determine access rather than the individual roles or attributes that make up the policies.

Which Form of Access Control Should I Use?

As with any security, there isn’t a one-size-fits-all approach to access control. Different strategies will fit different business contexts as well as security capabilities.

When considering adopting an access control system, consider the following factors:

  • Granularity refers to the level of control an organization has over its access systems. Fine-grained access control would provide more granularity, often with more available criteria or mechanisms that support complex access control configurations, with expanded costs regarding technology, money, and time to manage.

Conversely, coarse-grained access may cover fewer access criteria but cost less to implement and maintain.

  • Security: How well can the system effectively protect system resources without sacrificing accessibility? An overly-rigid access control system can prove to be more of a detriment than a benefit if not configured properly, regardless of how secure it is.
  • Flexibility: Roles and contexts change, and flexibility is a huge boon with modern IT infrastructure. Some organizations need access control systems that can support changing conditions, sometimes daily, while others are OK with rigid and secure approaches.

With these criteria in mind, each access control approach suits a few specific needs:

  • RBAC: If your organization has a clearly-defined hierarchy, or utilizes company roles to determine data access without too much consideration outside of those roles, then RBAC is suitable. Its alignment with business hierarchies and relatively simple implementation make up for the lack of fine-grained control.
  • ABAC: If your organization needs to manage access across several contexts that cannot be put under a simple policy or role, especially if you also need those controls to function dynamically, then ABAC is an appropriate approach. Note, however, that ABAC can become highly complex and would require significant time and effort to manage.
  • PBAC: If regulatory requirements or other security demands primarily determine your access controls, and you need maximum flexibility to apply those controls over different business contexts, then PBAC is a good choice.

Support Effective Access Control with 1Kosmos

The foundational component of any access control system is verifying a user’s identity. Even if your authorization controls are solid, they can be circumvented without proper authentication and identity control–if you cannot trust that a user is who they say they are, then the threat of hacked accounts remains.

1Kosmos BlockID brings powerful biometrics, passwordless authentication, Multi-Factor Authentication, and distributed and decentralized identity management to organizations looking for solutions that provide maximum security and accessibility. With 1Kosmos, you get the following features:

  • SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone.
  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture, and the encrypted data is only accessible by the user.

Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.

Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.

Read our product page to learn more about 1Kosmos Physical and Logical Access for Business.

Overcoming Resistance to Change on the Journey to Passwordless MFA
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.