Two of the most common methods for securing access to business resources are attribute-based access control (ABAC) and role-based access control (RBAC). These types of access control models determine authorization based on who the user is and what resources they’re trying to access — but there are some key differences. While ABAC focuses on attributes like location and time of day, RBAC assigns permissions based specifically on the role of each user within an organization.

Let’s say your company is growing or onboarding new remote and hybrid workers. You have an increasing mix of new employees and third-party associates who will need access to your systems and resources. As part of this process, you need to define who has access to what, and when.

Choosing the right access control system in this scenario is critical. But how do you decide between ABAC and RBAC? Let’s review their differences and use cases.

What is RBAC?

As its name suggests, role-based access control grants permissions according to predefined roles. Applying an RBAC approach means user access permissions will depend on your role in the organization. For example, if your tasks require you to write and edit files, you will be assigned these permissions. Other users may have roles that require them to read files and not edit them.

Administrators set the parameters for which permissions should be granted for each role, and which users are assigned those permissions. According to the National Institute of Standards and Technology (NIST), which defines the criteria for access control based on user roles, permissions may be inherited through a role hierarchy and typically reflect the types of access people need to do their jobs.

So, what is the role of RBAC? It defines a group of people sharing a number of characteristics. They might belong to the same department or share the same location, seniority level, or tasks. Typically, the higher the position of a person in the organization, the more permissions are granted.

Once a new role is defined, the administrator assigns the relevant permissions, addressing the following criteria:

  • Access: What will the user see on their device?
  • Operations: Is the user only allowed to read materials? Or can they write, create, or delete files?
  • Sessions: What are the conditions for starting and stopping a session? What determines how long a user has access?

For example, a developer should have access to code but not payroll, and you can set different permission levels among developers. A code tester requires certain permissions that an entry-level developer doesn’t. A user can have more than one role, and multiple users may be assigned the same role.

How does RBAC work?

Before granting permissions, a user must validate their credentials. There are two basic aspects to access security: authentication and authorization.

Authentication

Authentication is the action of verifying that a user is who they say they are. It’s the first stage of any security process. Some authentication methods commonly used may include:

  • Passwords: The most common authentication factors are usernames and passwords. If the user inputs the correct credentials, the system validates their identity.
  • Authentication apps: These apps usually generate random security codes to grant access.
  • Biometric: Users are required to present a fingerprint, face recognition, or retinal scan to gain access to the system.
  • One-time code: These codes grant access to a single session.

When systems require more than one factor before giving access, it’s called multi-factor authentication (MFA). This is a common requirement for zero trust security models.

Authorization

The next step in the security process is authorization. This is the action of granting permission to the user to access a specific resource, application, or function. In a secure system, authorization always follows authentication. In an RBAC model, authorization is granted only according to the users’ roles.  

Types of RBAC models

The NIST classifies the RBAC models by four types: flat, hierarchical, constrained, and symmetric:

  • Flat: In this model, all employees have at least one role with permissions. Some may have more than one role.
  • Hierarchical: The relationship between roles is defined by seniority levels. In this case, management shares their employees’ permissions in addition to their own.
  • Constrained: In this model, roles are completely separated according to duties, but several people can work on one task at the same time.
  • Symmetric: The permissions are monitored, reviewed, and adjusted periodically.

What is ABAC?

Attribute-based access control (ABAC) grants access based on a set of predefined characteristics called attributes. Administrators set permissions according to different types of user attributes related to the environment or resources being accessed.

  • User: This attribute can refer to the user’s job title, seniority level, or routine tasks.
  • Resource: This attribute refers to the type of file, application, or document the user wants to access. The sensitivity of the information requested also plays a role in this attribute.
  • Environment: This attribute refers to the conditions of the access attempt and may refer to the time of day a person is accessing the file, the date, or the location of the user.

ABAC offers the possibility of controlling more variables than RBAC, and it can prevent the risk of an attacker getting access via stolen credentials. ABAC enables administrators to set permissions based on a combination of attributes. In this model, you can give the same person different levels of permissions based on their location or time of login.

The ABAC model combines different elements to grant permission levels:

  • Users: Who is trying to access the file or complete the task?
  • Objects: What file or application is the user trying to access?
  • Actions: What is the user trying to do with that resource?

How does ABAC work?

Once administrators answer those questions, they define relationships and permissions by if/then statements. For instance, if a user is a department head, that person may read and write files. If a user works in accounting, they can access accounting files. The if/then statement may also relate to the user’s location (no logins from outside the office) or be time-related (no access outside office hours).

RBAC vs. ABAC benefits and considerations

RBAC and ABAC are methods for controlling access to resources. Each one, however, comes with its benefits and disadvantages.

ABAC Pros

  • High level of control: Administrators can easily define, modify, and manage permissions based on the rules they set.

ABAC Cons

  • Can be time-consuming: Defining variables and rules can be time-consuming.
  • Requires expertise: You need to set the rules right from the beginning to ensure accurate implementation.

RBAC Pros

  • Easy-to-use and straightforward: Rules are easier to configure than in the ABAC system, enabling agility and a quick start.

RBAC Cons

  • Role explosions: Creating new user roles with RBAC can be tempting — but can also cause an explosion of hundreds or thousands of roles to manage.

When to use RBAC or ABAC

After exploring the differences between the two models, you may wonder which one is best for your organization. Here are five common use cases for ABAC and RBAC:

  • Distributed workforces: When your workforce is distributed across multiple locations, ABAC is a better choice. By implementing an ABAC model, you can grant permissions according to the location of the employee and allow access only during business hours for that time zone.
  • Small teams: If your company is small with few resources and team members, it may be easier to define permissions according to the role. Therefore, in this case, an RBAC system can be more efficient.
  • Temporary teams: Teams working temporarily on a project can get access to sensitive documents and systems during office hours by using an ABAC system. The ABAC model’s time-based rules prevent access to sensitive data at times it’s not needed, thus preventing exfiltration and data breaches.
  • Companies with a simple structure: When your organization’s workgroups have a simple structure with few roles, RBAC is a better choice. For instance, a health clinic can give receptionists access to read and write schedules, but not to see the medical history of patients.
  • Media and creative organizations: Creative teams typically need to collaborate on files and documents in some instances and restrict access in others. Therefore, in this case, the access needs to be adjusted to the type of document — not the role of who wants to access it. ABAC is the best choice for this.

Companies often combine RBAC and ABAC models to cover multiple use cases. This is called a hybrid system, and it grants high-level access accomplished through RBAC along with granular control achieved through ABAC. However, it’s worth noting that sometimes neither RBAC or ABAC can accurately provide a comprehensive secure access model for your organization’s needs.

Go Beyond ABAC and RBAC with Citrix

When it comes to cybersecurity, choosing the right access management tool is key. And while ABAC and RBAC are both popular options, there’s an even better way to protect access. By delivering zero trust network access (ZTNA) to corporate applications, you can easily support the hybrid workforce — without exposing your organizations to threats.

Interested in learning more? See how Citrix Secure Private Access can help keep your apps and sensitive data secure.