Until recently, there were three main approaches to Authorization:
Access Control Lists (ACLs)
Access Control Lists (ACLs) are the oldest approach to Authorization. With ACLs, an administrator matches users to resources on a one-to-one basis.
Because only one characteristic, username, is used in Authorization decisions, ACLs provide coarse-grained Authorization.
Example of Limitations
Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC) involves creating roles, assigning them permission sets, and then assigning users to the roles. This approach is much more efficient than ACLs: assigning a user a role automatically gives them the correct access rights for all resources. Likewise, adding or removing a resource to a role ensures that the change is effective for all users with that role.
Because only one characteristic, role, is used in Authorization decisions, RBAC provides coarse-grained Authorization. eristic, role, is used in Authorization decisions, RBAC provides coarse-grained Authorization.
Example of Limitations
Attribute-Based Access Control (ABAC)
Attribute-Based Access Control (ABAC) does not use roles. Instead, it uses multiple characteristics or attributes, such as a user’s location or the time of day to determine whether or not to allow access to a resource. For example, an ABAC solution might grant an employee access to a sensitive document during work hours, but not at 2 AM.
Because it can base Authorization decisions on multiple factors, including time of day, ABAC is a “fine-grained” access management solution that works at run-time.
Example of Limitations
Beyond ACLs, RBAC, and ABAC
Despite the strengths of these Authorization methods, we can see that they have important limitations. Because it can base Authorization decisions on multiple factors, including time of day, ABAC is a “fine-grained” access management solution that works at run-time.
All of these problems are solved by Policy-Based Access Control (PBAC) solutions, especially PlainID’s Policy Manager.
PlainiD offers a better solution to Authorization using Policy-Based Access Control (PBAC).
PBAC is the cutting-edge approach to access management, offering a hybrid of RBAC and ABAC’s strongest features. Or as KuppingerCole put it, °PBAC can be considered the harmonization and standardization of the ABAC and RBAC models at an enterprise level:
PBAC uses attributes to support fine-grained Authorization but also supports creating universal policies when needed. Such policies are often needed for compliance issues. At the same time, PBAC supports the convenience of roles but uses them as a single attribute in policy statements. This allows granting roles different access rights depending on circumstances.
PBAC solves two of the most pressing Authorization issues: the advent of the cloud and mobility.
PBAC solves these problems by enabling businesses to net dynamic access-time policies according to the physical or logical location of the user and other factors.
PBAC also makes compliance with regulations such as GRC and GDPR easier by segregating data access, controlling access creep, and even preventing authorized users from accessing data in a risky manner.
Because PBAC supports both roles and attributes, it is relatively easy to switch to it from either RBAC or ABAC. Here are a few tips that will make your transition easier:
1.Gather the “building blocks” for your policies:
The data and definitions you are currently using as input for Authorization decisions are the “building blocks° of policies. These typically include:
Note to RBAC users:
In both this step and the next, keep an eye out for roles you can consolidate by
using other attributes to distinguish between them instead of needing separate
2. Identify existing policies and create new ones:
PBAC supports XACML, 0Auth, and other protocols and languages.
Note to ABAC users:
It is often possible to consolidate existing ABAC rules into a smaller set of policies.
3.Test and verify your policies
IAM managers have been facing increasing problems in the past few years. Some of these problems are caused by changes in technology and their effects on Authorization. Others are related to the way Authorization has been implemented in the field.
PlainID’s PBAC platform solves both these of challenges. In the previous section, we discussed how PBAC solves problems related to the cloud and to mobility. Here we discuss how Smart Authorization solves the implementation issues.
One of the most common phenomena in RBAC systems is “role explosion”. Role explosion occurs when a company creates very specific roles to cover every possible net of permissions needed. As network resources grow, not only do existing roles get more complicated, but new ones get added.
PlainID recently solved this and other problems for a client we’ll call “Company A. Company A began with over 1,000 individual roles. The IT team managing them was overwhelmed to say the least.
As it does with all clients, PlainID used PBAC’s policy creating features and its use of attributes to reduce the number of roles significantly. By using attributes such as location and the time of access requests as input PlainiD was able to make each basic role more flexible. For example, for an American client, instead of having 50 roles for insurance salespeople to access the forms relevant to their state, PlainID could create one role called “salesperson° and use another attribute, “state” to link salespeople with their state.
PlainiD made the process simpler by first making the entire system visible. This made it much easier to best match users to data. By the time PlainID’s PBAC platform went live, Company A had approximately 50 roles instead of 1000!
The result was a net of flexible, dynamic, fine-grained Authorization policies that could be altered in run-time, if needed. By making access management simpler, PBAC saved the company thousands of dollars in IT costs, while freeing up days, if not months, of the team’s time. Moreover, using PBAC enabled management to take over access management decision-making.
In the past, this area was so complex that it was run by IT. But Authorization is really a business decision: determining who has access to which data is one of the most important decisions a company will make. PBAC enables you to set access management policies via an easy-to-use user interface without writing a single line of code.
The PBAC Platform’s support of management includes approval and audit functions. You can configure the software to require a manager’s approval before implementing any change of access management policy. The platform’s record-keeping abilities enable you to perform audits and generate reports of their findings.
PlainID’s PBAC platform is the ideal Authorization solution for enterprises and SaaS providers. Its PBAC-based solution offers fine-grained access management that is both extremely flexible and easy to use. It is designed to integrate with any environment, support all manner of access points, and safeguard your data in all scenarios, including B2B usage.
PlainID’s PBAC platform is ready for today’s challenges — and tomorrow’s.
Ready to find out more? Click the button below to
schedule a demo with a member of the
PlainID team, or Check out the PlainID Summary Brief.