Question

How does implementing Attribute-Based Access Control (ABAC) differ from Role-Based Access Control (RBAC) in terms of granularity when securing PII data?

Accepted Answer

Role-Based Access Control, or RBAC, manages access by assigning permissions to specific roles like manager or analyst rather than to individual users. In this model, access to Personally Identifiable Information, or PII, is broad and static because anyone assigned to a role automatically receives all permissions associated with that role. For example, if a role has access to a database of customer records, every user in that role can see every record in that database regardless of their specific current task or the sensitivity of the individual data points. Attribute-Based Access Control, or ABAC, provides a much finer level of granularity by evaluating dynamic characteristics—known as attributes—before granting access. These attributes include characteristics of the user like their department, characteristics of the resource like the classification level of the PII, and environmental factors like the time of day or the user&#x27;s current location. Because ABAC evaluates these multiple variables in real-time, it allows for conditional access that RBAC cannot achieve. For example, ABAC can restrict access so that a marketing employee can only view customer email addresses if they are accessing the file during business hours from a secure company network, while simultaneously blocking access to more sensitive PII like social security numbers. While RBAC relies on static membership in a group to determine what a user can see, ABAC uses logic-based policies to create precise, context-aware access rules that can be tailored to specific data fields or record types.

Home → All Courses → Engineering and Technology Courses → Data Engineering → Flashcard

How does implementing Attribute-Based Access Control (ABAC) differ from Role-Based Access Control (RBAC) in terms of granularity when securing PII data?