RBAC-VS-ABAC
Static roles vs dynamic policies.
Definition
RBAC: NIST RBAC Standard 2004 ; simple, predictable but suffers role-explosion (hundreds of roles). ABAC: NIST SP 800-162 (2014) ; XACML 3.0 (OASIS), OPA Rego (Open Policy Agent), Cedar (AWS). PBAC (Policy-Based) often synonym of ABAC.
Origin
RBAC formalised by Ferraiolo & Kuhn 1992 ; NIST INCITS 359-2004. ABAC NIST SP 800-162 published January 2014.
Example in context
An EDI portal with 50 suppliers migrates from RBAC (200 roles) to ABAC (OPA) — rule partner.id = resource.owner.
Related terms
- ZTA — decision foundation.