Role-based access control (RBAC) vs. Attribute-based access control (ABAC)
ฝัง
- เผยแพร่เมื่อ 12 มิ.ย. 2024
- Get the threat intelligence guide → ibm.biz/BdmwNZ
Learn about the technology → ibm.biz/BdmwNY
Exploring the realms of access control, authentication, and authorization as you attempt to choose the best access control model for your organization? In this video, IBM Distinguished Engineer and Adjunct Professor Jeff Crume explains the pros and cons of Roles-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC), and how they shape access decisions in real-world scenarios.
Get the latest on the evolving threat landscape → ibm.biz/BdmwN2
7 minutes with best explanation I ever seen
Another video from Jeff! Yay! Every single one of his videos is an absolute gem. I wish I could attend his University classes 😭 it must be incredible to learn from him in person.
Thank you for all the great complements! 😊
So true! Jeff is quite the educator and advocate of Cyber-Sec. Thanks to him I am back at University grad-school, on my journey into cyber security and loving it. Hope to meet Jeff at IBM one day when I graduate :)
Simple, Concise and To the point🤞🏾
I’m glad you liked it!
I would say that what he called a "hybrid" scenario of RBAC is actually the most common approach. There is little value in a Role itself in anything but the most simple application. There are almost always attributes/permissions that make up a Role, often with Read/Write permissions for each individual feature/function/etc.
Very true and it’s why many of the early RBAC only approaches failed
thanks Jeff
Thanks for the video Jeff.
It would be also great to add ReBac as well and explain when to use it.
Good idea
RBAC is easy to understand from a "people" perspective. ABAC makes sense when there is a need for more fine-grained access to sensitive data and programs. I'd like to see a more detailed reference document (or a subsequent video) that deals with ABAC case study examples involving situations where :
(1) Privacy-related legislations impose geo-location constraints on who can create, read, update or delete personally identifiable data values
(2) Restricted access to sensitive documents (or parts of these sensitive documents) may be required depending on the attributes of end users
(3) Transactional API requests and responses may require a decision on the need for multi-factor authentication
Thanks for the suggestion
love u jeff!
Very kind of you!😊
I was just reading about this yesterday and this video arrives just perfect. Thanks Jeff for sharing your valuable knowledge with us 😊
By the way, Iam currently watching your cybersecurity architecture series videos. Pure gold!
Thanks so much for the great feedback! I’m so glad you are enjoying the series as well!
Excelent video! ♥♥♥
TL;DR : what would be the best practices or pitfall to avoid using ABAC or hybrid system?
Way to long comment :
I would really like a more indept dive into this. ABAC can create strange things. The example in the video was simple, but sometime, there could be many combinaison possible go give or block acces to a ressouces. We might want some attributes combinaison to take priority over others. In an hybrid-system, it get more complicated. We have setup a thing at work, but I find it complicated and hard to visualized who can access what. So what would be the best practices or pitfall to avoid using ABAC or hybrid system?
The goal is to simply as much as possible and don’t let perfect become the enemy of the good. For instance, rather than trying to get 100% coverage, aim a little lower (maybe 80%) with RBAC or ABAC or both and then handle the rest as request-based exceptions. Otherwise, you can end up with far more roles and rules than you do users - which defeats the purpose.
The Official CISSP guide does a bad job of explaining this