Role-based access control (RBAC) vs. Attribute-based access control (ABAC)
7,887
Published 2024-06-13
Learn about the technology → ibm.biz/BdmwNY
Exploring the realms of access control, authentication, and authorization as you attempt to choose the best access control model for your organization? In this video, IBM Distinguished Engineer and Adjunct Professor Jeff Crume explains the pros and cons of Roles-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC), and how they shape access decisions in real-world scenarios.
Get the latest on the evolving threat landscape → ibm.biz/BdmwN2
All Comments (15)
-
7 minutes with best explanation I ever seen
-
Another video from Jeff! Yay! Every single one of his videos is an absolute gem. I wish I could attend his University classes 😭 it must be incredible to learn from him in person.
-
I would say that what he called a "hybrid" scenario of RBAC is actually the most common approach. There is little value in a Role itself in anything but the most simple application. There are almost always attributes/permissions that make up a Role, often with Read/Write permissions for each individual feature/function/etc.
-
Simple, Concise and To the point🤞🏾
-
Thanks for the video Jeff. It would be also great to add ReBac as well and explain when to use it.
-
RBAC is easy to understand from a "people" perspective. ABAC makes sense when there is a need for more fine-grained access to sensitive data and programs. I'd like to see a more detailed reference document (or a subsequent video) that deals with ABAC case study examples involving situations where : (1) Privacy-related legislations impose geo-location constraints on who can create, read, update or delete personally identifiable data values (2) Restricted access to sensitive documents (or parts of these sensitive documents) may be required depending on the attributes of end users (3) Transactional API requests and responses may require a decision on the need for multi-factor authentication
-
thanks Jeff
-
I was just reading about this yesterday and this video arrives just perfect. Thanks Jeff for sharing your valuable knowledge with us 😊 By the way, Iam currently watching your cybersecurity architecture series videos. Pure gold!
-
awesome
-
Excelent video! ♥♥♥
-
amazing wowww
-
love u jeff!
-
TL;DR : what would be the best practices or pitfall to avoid using ABAC or hybrid system? Way to long comment : I would really like a more indept dive into this. ABAC can create strange things. The example in the video was simple, but sometime, there could be many combinaison possible go give or block acces to a ressouces. We might want some attributes combinaison to take priority over others. In an hybrid-system, it get more complicated. We have setup a thing at work, but I find it complicated and hard to visualized who can access what. So what would be the best practices or pitfall to avoid using ABAC or hybrid system?
-
The Official CISSP guide does a bad job of explaining this