Identity access and management (IAM) is an integral part of a security strategy in modern enterprise. By ensuring only the right people can access specific systems and data, IAM helps limit your organization’s exposure and reduce risk.
Many IAM systems use a method called role-based access control (RBAC) to assign permissions for who can do what within specific IT resources like applications, depending on the organization’s structure and the users’ responsibilities.
RBAC allows you to create and enforce advanced access by assigning a set of permissions. The permissions are based on what level of access specific user categories require to perform their duties. In other words, different people in your company can have completely different levels and types of access privileges based solely on factors such as their job function and responsibilities.
For example, Human Resources employees could view employee records but not customer data. And an HR manager could delete or change HR records while a lower-level HR specialist would only be able to view them. When an individual’s responsibilities or functions change—for example, due to a promotion or department transfer—that person is assigned to the new role in the RBAC system.
With the attribute-based control (ABAC) approach, you’re essentially breaking down a user—and the circumstances around their request—into attributes that define their access in your system. While the system considers the user’s tags when authorizing, it also considers attributes for the resource, the environment, and the action that user is trying to take. For example, if a customer support representative is trying to open and edit a contract, they might find that they can only read the file. The level of control in this system is high, but so is the effort.
With attribute-based control, every access decision runs through you—which means you have complete control over who gets access to what at any given time.
Capability-based access control (CapBAC) is a concept in the design of secure computing systems, one of the existing security models. A capability (known in some systems as a key) is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights.
A user program on a capability-based operating system must use a capability to access an object. CapBAC refers to the principle of designing user programs such that they directly share capabilities with each other according to the principle of least privilege, and to the operating system infrastructure necessary to make such transactions efficient and secure.