Question
Personal
IN
Last activity: 26 Nov 2024 0:13 EST
Difference between ABAC and RBAC.
What's Difference between ABAC and RBAC ?
Accepted Solution
Updated: 26 Nov 2024 0:13 EST
Eclatprime Digital Private Limited
AU
Hello @MokshagnaJ17205438,
RBAC (Role-Based Access Control):
->Access is based on predefined roles assigned to users.
->You manage access through Access Roles (e.g., Admin, Manager, User) and associate them with Access Groups.
-->For example, a user in the "Manager" group might have access to reports and dashboards, while a "User" group might not.
Configuration: Use Access of Role to Object (ARO) and Privilege rules to define role-specific access to case types, rules, and data.
ABAC (Attribute-Based Access Control):
->Access is granted dynamically, depending on attributes of the user, object, or environment
- For example, a user may access a case only if:
- Their department matches the case's department attribute.
- The case urgency is below a specific threshold.
- Configuration: Use Access Control Policy rules to define conditions based on property values. Policies can include:
- Read: Who can view the data.
- Update: Who can modify the data.
- Delete: Who can delete the data.
Maantic Inc
IN
RBAC is typically used to specify the access control requirements that pertain to the persona (user role) an operator observes when using a Pega application.
- Stephen is a Call Center Worker when using the Customer Service application, needing authorization to create Service cases, but is unauthorized to perform account changes for VIP customers.
- Rebecca is a Senior Account Manager when using the Customer Service application, and is granted the authorization to perform account changes for VIP customers.
You use ABAC to restrict access on specific instances of classes using policies that are not role-based, but instead based on other attributes known about the user. For example, each operator may be tagged with a Security Classification, which in itself applies limitations on which data the operator is authorized to access.
For example, in the Customer Service application used by Stephen and Rebecca above, a Security Clearance of AAA is needed to see a Customer’s address history older than five years and their Social Security Number.
RBAC is typically used to specify the access control requirements that pertain to the persona (user role) an operator observes when using a Pega application.
- Stephen is a Call Center Worker when using the Customer Service application, needing authorization to create Service cases, but is unauthorized to perform account changes for VIP customers.
- Rebecca is a Senior Account Manager when using the Customer Service application, and is granted the authorization to perform account changes for VIP customers.
You use ABAC to restrict access on specific instances of classes using policies that are not role-based, but instead based on other attributes known about the user. For example, each operator may be tagged with a Security Classification, which in itself applies limitations on which data the operator is authorized to access.
For example, in the Customer Service application used by Stephen and Rebecca above, a Security Clearance of AAA is needed to see a Customer’s address history older than five years and their Social Security Number.
- Stephen holds a Security Clearance of AAA. Whenever he accesses Customer information in the application, he should be authorized to see full address history and the customer’s Social Security Number, even though the RBAC for his persona (user role) prohibits him from performing account changes if that customer is a VIP.
- Rebecca holds a Security Clearance of B. She is authorized to see only a Customer’s address history up to five years old. She is not authorized to see the Customer’s Social Security Number, even though the RBAC for her persona (role) allows her to make changes to VIP customer accounts.
Accepted Solution
Updated: 26 Nov 2024 0:13 EST
Eclatprime Digital Private Limited
AU
Hello @MokshagnaJ17205438,
RBAC (Role-Based Access Control):
->Access is based on predefined roles assigned to users.
->You manage access through Access Roles (e.g., Admin, Manager, User) and associate them with Access Groups.
-->For example, a user in the "Manager" group might have access to reports and dashboards, while a "User" group might not.
Configuration: Use Access of Role to Object (ARO) and Privilege rules to define role-specific access to case types, rules, and data.
ABAC (Attribute-Based Access Control):
->Access is granted dynamically, depending on attributes of the user, object, or environment
- For example, a user may access a case only if:
- Their department matches the case's department attribute.
- The case urgency is below a specific threshold.
- Configuration: Use Access Control Policy rules to define conditions based on property values. Policies can include:
- Read: Who can view the data.
- Update: Who can modify the data.
- Delete: Who can delete the data.
Pegasystems Inc.
CA
Please go over this academy course to understand RBAC and ABAC in detail. Real time examples are also provided to ensure when to use RBAC vs ABAC.
https://academy.pega.com/topic/authorization-policy-configuration/v1