Role-Based or Attribute-Based ACL Authorization
  • 11 May 2022
  • 1 Minute to read
  • Dark
    Light

Role-Based or Attribute-Based ACL Authorization

  • Dark
    Light

Article Summary

Access Control Level Types

RapidIdentity supports managing user authorization using fine-grained ACLs based on Attributes (ABAC), Roles (RBAC), Entitlements (EBAC) and/or Objects (OBAC). There are minimal constraints to how ACLs can be derived to provide the security model desired by the client. Where appropriate, authorized administrators and power users can determine access to the client content, applications, system and other resources using the ACLs described. RapidIdentity fully supports Role Based Access Control (RBAC) throughout the configurations of each component. The service leverages RBAC (coarse-grain) filters in policy definitions to appropriately define what users are authorized to do or resources to access. While RBAC can be very complex subjects, we follow a few simple concepts when doing implementation with RapidIdentity.

RBAC is for coarse-grain access control. When we can make access control decisions with broad strokes, we use RBAC.
Example use case: Helpdesk individuals at different locations and job codes would need to have access to reset student passwords within a delegation. RBAC could assign this Delegation to those users who have been set up within the Portal Helpdesk role.

ABAC is for when we need more granularity or need to make a decision under certain conditions.
Example use case: An Authentication policy for a specific school location should only be applied to first grade students. ABAC could target the location and the grade level with

(&(idautoPersonSchoolName=That School)(idautoPersonGradeLevel=01))

RapidIdentity can use RBAC and ABAC together in a hierarchical approach. For example, using RBAC to control which users have access to a specific application and then using ABAC when they can access the application under specific conditions. Whether we use RBAC and/or ABAC, RapidIdentity helps us define what users can do with applications by providing multiple mechanisms to ensure the right people get the right access to the right things—at the right time.


Was this article helpful?