Advisory Note

Unifying RBAC and ABAC in a Dynamic Authorization Framework

Mastering authorization is critical for modern organizations with multiple user constituencies, applications, and data types. Groups are necessary but not sufficient in complex environments. Roles are handy for adding manageability and assurance to coarse- or medium-grained authorization but break down in the face of dynamic environments or complex access policies. Attribute-based access control (ABAC) has gained adherents, but is in fact just another piece of the puzzle. In this note, KuppingerCole will unfold the dimensions of a unified authorization framework incorporating all of the above and more.

Dan Blum

db@kuppingercole.com

1 Management Summary

Dynamic authorization in complex enterprise IT environments is one of the most challenging parts of identity and access management (IAM) and information security alike. To be successful, organizations must address authorization through a holistic architecture. In this note, KuppingerCole breaks the problem down into three dimensions: Governance and admin time authorization, access policy models, and runtime authorization.

Admin time policy management and runtime policy enforcement must meet in the middle with policy model for groups, RBAC, ABAC, entitlements, and policy expressions (or rules). Organizations must create as their architecture a unified authorization framework spanning the three dimensions and often requiring hybrids of all the policy models. Herein, KuppingerCole provides frameworks, models, decision trees, and recommendations to get started.


Full article is available for registered users with free trial access or paid subscription.

Register and read on!

Sign up for the Professional or Specialist Subscription Packages to access the entire body of the KuppingerCole research library consisting of 700+ articles.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package