Unifying RBAC and ABAC in a Dynamic Authorization Framework
Mastering authorization is critical for modern organizations with multiple user constituencies, applications, and data types. Groups are necessary but not sufficient in complex environments. Roles are handy for adding manageability and assurance to coarse- or medium-grained authorization but break down in the face of dynamic environments or complex access policies. Attribute-based access control (ABAC) has gained adherents, but is in fact just another piece of the puzzle. In this note, KuppingerCole will unfold the dimensions of a unified authorization framework incorporating all of the above and more.
1 Management Summary
Dynamic authorization in complex enterprise IT environments is one of the most challenging parts of identity and access management (IAM) and information security alike. To be successful, organizations must address authorization through a holistic architecture. In this note, KuppingerCole breaks the problem down into three dimensions: Governance and admin time authorization, access policy models, and runtime authorization.
Admin time policy management and runtime policy enforcement must meet in the middle with policy model for groups, RBAC, ABAC, entitlements, and policy expressions (or rules). Organizations must create as their architecture a unified authorization framework spanning the three dimensions and often requiring hybrids of all the policy models. Herein, KuppingerCole provides frameworks, models, decision trees, and recommendations to get started.