← Lessons

quiz vs the machine

Platinum1740

System Design

RBAC and ABAC

Granting access by roles versus by attributes and contextual conditions.

6 min read · advanced · beat Platinum to climb

Roles group permissions

Role based access control assigns permissions to roles, then assigns roles to users. An editor role might allow creating and updating articles. Users inherit the permissions of their roles, so administration scales: change a role and every holder is affected.

RBAC is simple and auditable, but it struggles with fine grained, contextual rules. Encoding a manager may approve expenses only in their own department under ten thousand dollars leads to a role explosion as combinations multiply.

Attributes add context

Attribute based access control decides using attributes of the subject, the resource, the action, and the environment. A policy evaluates conditions such as the user's department, the record's owner, the time of day, or the request's amount.

  • Subject attributes, like department or clearance.
  • Resource attributes, like owner or sensitivity.
  • Environment attributes, like time or location.

ABAC is far more expressive and avoids role explosion, at the cost of more complex policy evaluation and harder reasoning about who can do what.

Key idea

RBAC grants access through roles for simple auditable control, while ABAC evaluates subject, resource, and context attributes for expressive fine grained rules.

Check yourself

Answer to earn rating on the learn ladder.

1. What does RBAC assign permissions to?

2. What problem of RBAC does ABAC address?

3. Which is an example of an environment attribute in ABAC?