A recent discussion in the “Identity Management Specialists Group” on LinkedIn had the title “On point. Agree. Gartner says attributes are the new role for identity?”

I wondered a little about a rather old discussion appearing again. In fact, there rarely has been pure role-based access control. On the other hand, roles are one of the most important, if not the single most important attribute in attribute-based access control. There is no conflict, but we are just looking at the natural evolution.

I commented on another of these discussions nearly two years ago in another post. If you want more detail, have a look at the podcast recording of the KuppingerCole Webinar “Enterprise Role Management Done Right: Build the Bridge between Business and IT”.

We clearly will need some kind of abstraction – we might call that roles or something else. But clearly, the discussion about “attributes instead of roles” is an artificial one, miles away from practical experience and use cases.