RBAC vs. ABAC Definitions & When To Use

By DonaldMoon

Identity management techniques protect your sensitive digital assets. What form of protection should this protection take?

It is possible to make smart decisions by understanding the differences between role-based access control and attribute-based control.

RBAC vs ABAC Comparison

ABAC and RBAC have different access policies. RBAC techniques can be used to grant access according to roles. ABAC techniques allow you to determine access based on user characteristics, object characteristics and action types.

Let’s get into the details.

What is Role-Based Access Control Control?

Your computer system is logged into by someone else. What can this person do? Using RBAC techniques will answer that question depending on the role of that individual.

RBAC language usually refers to roles that are defined as a group of people who share certain characteristics such as:

  • Departments
  • Localities
  • Seniority levels
  • Work duties

You can give permissions once you have defined a role. These could include:

Access. What can the individual see?

Operation. What can the person read and write? What can the person read? What can the person do?

Sessions. How long can the user stay in the system for? When will the login expire? When does the login expire

This is how all RBAC systems operate. For those who need more flexibility, the National Institute of Standards and Technology has four types of RBAC.

Flat: Every employee has at least one role that determines permissions. However, some employees may have more than one.

Hierarchical: Roles are arranged according to their seniority. While senior executives may have their own permissions and those granted by their subordinates, they can also use the permissions of their colleagues.

Constrained: Multiple people are required to work together on a single task. This is a way to protect your data and stop fraudulent activity.

Symmetrical: Permissions for roles are regularly reviewed and permissions can change as a result.

These roles are interrelated and can be organized by security level.

Level 1, Flat: This form of RBAC is the simplest. To gain permissions, employees use roles.

Level 2, Hierarchical : This adds to the Flat RBAC rules and it also creates a hierarchy of roles.

Level 3, Constrained : This adds to Hierarchical RBAC and separates duties.

Level 4, Symmetrical : This model builds upon the Constrained RBAC model and adds permission reviews.

What is Attribute-Based Control Access Control?

Your computer system is logged into by someone else. What can this person do? ABAC protocols answer this question through the user, the resource attributes or the environment.

Administrators of ABAC systems can grant permissions to:

User. The work that is possible could be determined by the job title of the person, their typical tasks or seniority.

Resource attributes. Access could be determined by the type of file, who made it or its sensitivity.

Environment. Access to the file could be determined by the location, time of day or calendar date.

Administrators can exercise a lot of control over a system such as this. Administrators can set permissions that are based on many attributes. This will help to protect documents. You could give different permissions to the same person depending on their log-in location or the activities they attempt on different days of the week.

  • ABAC elements work in concert.
  • Subjects: Who’s trying to do this work?
  • Objects: Which file in the network is the user trying?
  • Operation. What’s the person trying do with that file?
  • Relationships can be defined using if/then statements. Take this example:
  • Accounting users can access files in the accounting department.
  • Managers may have the right to read/write files.

If the policy of the company prohibits Saturday work and today is Saturday then no one can access files today.


Control should be well-defined

Administrators have the ability to manage, modify, and enhance many variables. This ensures a high degree of control. It is possible to create very precise and detailed rules that protect your assets.



The RBAC system’s rules are easy to follow and simple. It is quick and requires less processing power.