Question

What is the primary difference in impact on the Principle of Least Privilege when using ABAC compared to RBAC?

Accepted Answer

The primary difference in impact on the Principle of Least Privilege—which states that a user should only have the minimum level of access necessary to perform their job—is that Role-Based Access Control (RBAC) relies on static group memberships while Attribute-Based Access Control (ABAC) relies on dynamic, context-aware policy evaluation. In RBAC, access is assigned to a role, such as Manager, and all users assigned to that role receive the same permissions regardless of their specific situation. This often leads to role explosion or excessive privilege, where users hold broad permissions that they do not use for every task. In contrast, ABAC evaluates access based on specific attributes of the user, such as their department or security clearance, the resource being accessed, and environmental factors like time of day or location. Because ABAC can deny access even if a user holds a specific role—for example, by requiring a user to be on the company network to access sensitive financial files—it allows for a much more granular and precise application of the Principle of Least Privilege. While RBAC provides a broad, coarse-grained access structure, ABAC enables a fine-grained, conditional approach that ensures access is granted only when every relevant attribute satisfies the security policy.

Home → All Courses → Engineering and Technology Courses → Cloud Computing Architecture → Flashcard

What is the primary difference in impact on the Principle of Least Privilege when using ABAC compared to RBAC?