It's all about IAM

Identity And Access Management - Rajiv Dewan

Role Based Access Control vs Attribute Based Access Control

You might have implemented or currently implementing RBAC i.e. Role Based Access Control but you should also know about ABAC (Attribute Based Access Control) as ABAC is more advanced than RBAC. I have tried to explain both the access controls here, I hope this will help:


RBAC stands for Role Based Access Control. In RBAC, access controls are defined based on the groups/roles a user is having. It simplifies the administration of access controls for large number of users. It’s the best model for cross-grained access control. 

  • HR Administrators will get Read and Write permissions on HR Module of SAP
  • IAM Role Administrators can create, update & delete any role in IAM System

  • Simplifies the management of entitlements
  • Usability: complex names of entitlements can be displayed with simple names of roles
  • Efficiency: improves the efficiency by providing access into various system with a single role
  • Security: it assigns only those permissions to the end user which are required to perform that business function
  • Easy to implement as compare to other Access Control models
  • Permissions are assigned to roles rather than to users
  • Reduces the no of requests as requests will be raised for roles rather than for each permission
  • Dynamic SOD implementation is not possible
  • Limited scope of scalability. After a certain limit, it becomes difficult to scale this model
  • Doesn’t provide fine grained access control
  • Access control definition is predefined
  • Need extra efforts to manage life-cycle of roles


ABAC stands for Attribute Based Access Control. ABAC provides the access based on attributes associated with user or application/system. This is the advance version of RBAC where we can achieve Fine-Grained access control. In this model, authorization policies are defined based on the context, user attributes, application attributes.

  • Children with < 12 years of age will not get access to Movie A & Movie B
  • Certain application can only be accessed by end users during work hours and from office


  • Can be used to achieve Fine-Grained access control which is the need of today’s security system
  • Scalable
  • Can be used with existing Access Control models like RBAC
  • Dynamic Segregation of Duties

  • Complex to analyze
  • Possibility of attribute explosion


All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information