We have two access control mechanism, role based (RBAC) and attribute based (ABAC). When i think of uses cases, I wonder if I should use RBAC with access-when or ABAC. What are the best practice or recommendations for them? How system internally processes these access controls? Does one have any performance implications above other? Does ABAC has any exclusivity which can not be done using RBAC.
First, using Access Whens in RAROs (RBAC) to accomplish row-level security is very limited functionally in a variety of ways but especially in reports and in searches. Second, enforcing row-level restrictions in ABAC policies should actually be better performing, since the policy conditions defined in ABAC are automatically included in the SQL generated by the Platform, and the DB can process these very efficiently.