Role-based access control (RBAC) vs. Attribute-based access control (ABAC)

7,887

483 0

Published 2024-06-13

Get the threat intelligence guide → ibm.biz/BdmwNZ
Learn about the technology → ibm.biz/BdmwNY

Exploring the realms of access control, authentication, and authorization as you attempt to choose the best access control model for your organization? In this video, IBM Distinguished Engineer and Adjunct Professor Jeff Crume explains the pros and cons of Roles-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC), and how they shape access decisions in real-world scenarios.

Get the latest on the evolving threat landscape → ibm.biz/BdmwN2

All Comments (15)

@zemalex89 4 days ago

7 minutes with best explanation I ever seen
@Joe60459 14 days ago

Another video from Jeff! Yay! Every single one of his videos is an absolute gem. I wish I could attend his University classes 😭 it must be incredible to learn from him in person.
@Tony-dp1rl 14 days ago

I would say that what he called a "hybrid" scenario of RBAC is actually the most common approach. There is little value in a Role itself in anything but the most simple application. There are almost always attributes/permissions that make up a Role, often with Read/Write permissions for each individual feature/function/etc.
@Pem7 11 days ago

Simple, Concise and To the point🤞🏾
@houcebr 12 days ago

Thanks for the video Jeff. It would be also great to add ReBac as well and explain when to use it.
@W1thcdoctor1987 14 days ago

RBAC is easy to understand from a "people" perspective. ABAC makes sense when there is a need for more fine-grained access to sensitive data and programs. I'd like to see a more detailed reference document (or a subsequent video) that deals with ABAC case study examples involving situations where : (1) Privacy-related legislations impose geo-location constraints on who can create, read, update or delete personally identifiable data values (2) Restricted access to sensitive documents (or parts of these sensitive documents) may be required depending on the attributes of end users (3) Transactional API requests and responses may require a decision on the need for multi-factor authentication
@MRaha706 12 days ago

thanks Jeff
@amigazo3972 14 days ago

I was just reading about this yesterday and this video arrives just perfect. Thanks Jeff for sharing your valuable knowledge with us 😊 By the way, Iam currently watching your cybersecurity architecture series videos. Pure gold!
@masonsafavi1886 yesterday

awesome
@blogcorpo 14 days ago

Excelent video! ♥♥♥
@palak_59 23 hours ago

amazing wowww
@canaldoreno 14 days ago

love u jeff!
@mbeware 13 days ago

TL;DR : what would be the best practices or pitfall to avoid using ABAC or hybrid system? Way to long comment : I would really like a more indept dive into this. ABAC can create strange things. The example in the video was simple, but sometime, there could be many combinaison possible go give or block acces to a ressouces. We might want some attributes combinaison to take priority over others. In an hybrid-system, it get more complicated. We have setup a thing at work, but I find it complicated and hard to visualized who can access what. So what would be the best practices or pitfall to avoid using ABAC or hybrid system?
@bobbyboygaming2157 14 days ago

The Official CISSP guide does a bad job of explaining this