Learning Library

← Back to Library

Roles vs Attributes: Access Control

7m • Unknown Channel • security • tutorial • intermediate • Watch on YouTube ↗

Key Points

The video distinguishes authentication (identifying “who you are”) from authorization (determining “what you’re allowed to do”), highlighting that the latter is often overlooked.
It introduces two primary authorization models—Role‑Based Access Control (RBAC) and Attribute‑Based Access Control (ABAC)—and compares their advantages and disadvantages.
Using a hospital scenario, the speaker shows how managing permissions without roles quickly becomes complex and unmanageable as users and capabilities grow.
By assigning users to roles (e.g., doctor, nurse, lab technician), RBAC simplifies permission management, making updates and onboarding far easier and more scalable.

Sections

00:00:00 Understanding RBAC vs ABAC - The speaker explains access control concepts, contrasting role‑based and attribute‑based authorization using a hospital example.

Full Transcript

# Roles vs Attributes: Access Control **Source:** [https://www.youtube.com/watch?v=rvZ35YW4t5k](https://www.youtube.com/watch?v=rvZ35YW4t5k) **Duration:** 00:07:32 ## Summary - The video distinguishes authentication (identifying “who you are”) from authorization (determining “what you’re allowed to do”), highlighting that the latter is often overlooked. - It introduces two primary authorization models—Role‑Based Access Control (RBAC) and Attribute‑Based Access Control (ABAC)—and compares their advantages and disadvantages. - Using a hospital scenario, the speaker shows how managing permissions without roles quickly becomes complex and unmanageable as users and capabilities grow. - By assigning users to roles (e.g., doctor, nurse, lab technician), RBAC simplifies permission management, making updates and onboarding far easier and more scalable. ## Sections - [00:00:00](https://www.youtube.com/watch?v=rvZ35YW4t5k&t=0s) **Understanding RBAC vs ABAC** - The speaker explains access control concepts, contrasting role‑based and attribute‑based authorization using a hospital example. ## Full Transcript

0:00two questions for you who are you and 0:04what are you allowed to do these are two 0:06questions that go into what we call 0:08Access 0:09Control access control is involved in 0:12these two steps I've talked a lot about 0:14this one in previous videos about 0:17authentication this is where we get 0:18things like multiactor authentication 0:21password strength rules pass keys and 0:24things of that sort that's answering the 0:25question who are you but I'll tell you 0:27the harder question to answer is this 0:29one what are you allowed to do this is 0:32the area of authorization and that's one 0:36that often gets overlooked the subject 0:38of today's video then is going to deal 0:39with two different approaches to 0:41authorization roles-based access control 0:45and attribute based access control rback 0:48and aback let's take a look at the two 0:50and see what are the pros and cons of 0:52each okay let's take a look at what it 0:55looks like if we don't use rols for our 0:58Access Control decisions so let's say we 1:01have a hospital environment and we've 1:03got a doctor here and a doctor should be 1:05able to write orders that the nurses 1:07follow and other people follow uh they 1:09should be able to read the orders that 1:11they've written they can read the lab 1:13reports that have come but they can't 1:15write the lab reports only a lab 1:17technician can create those reports and 1:20the lab technician should be able to 1:22read these but probably not the others 1:24of these kinds of things uh so then we 1:27also have say a bunch of nurses and the 1:29nurse nures cannot write orders but they 1:31can read them so that they can follow 1:33them uh all the nurses should be able to 1:36maybe read the labs uh to understand 1:39what's there but they don't write so you 1:41can see what happens here as we expand 1:43this out to more and more users and more 1:46and more capabilities this is a trivial 1:48example with just four capabilities and 1:51five users imagine if we scale this to 1:54thousands or tens of thousands or 1:56hundreds of thousands what does this 1:58spaghetti look like it gets to be a real 2:00mess so that's without 2:03roles how about if we introduce roles 2:06into the case so in this case what I do 2:09is I say okay doctors all doctors can 2:11write orders they can read orders they 2:13can read Labs nurses can read orders 2:16they can read labs and a lab technician 2:19can write labs and read labs this looks 2:22fairly simple because I'm talking about 2:24them in aggregate this is an abstraction 2:27of what a lot of different people would 2:29do 2:30now all I have to do in order to 2:32implement this is map the individual 2:35users into the roles that they fill so I 2:38say this person's a doctor these people 2:41are all nurses and this person is a 2:43labtech and voila so with rolls then I 2:47get something that is much simpler much 2:50cleaner and much easier to manage 2:53imagine later if I come along and say 2:55you know what we need to add a new 2:57capability I don't know what we're going 2:58to call it but so some new function and 3:01in fact I'd like nurses and doctors to 3:05be able to do it that's all I have to do 3:07I don't have to go back and change all 3:08of this or if we get a new employee that 3:11comes in and we say oh yeah the new 3:14employee that person's a labtech I just 3:16map them to the role and they pick up 3:18all the capabilities so you can see what 3:20we've done here is we've simplified by 3:22abstracting out and we're giving access 3:25rights based upon the role the person 3:27plays within the organization 3:29so that was a look at role-based Access 3:32Control in that case what you get to do 3:34depends on what role you're assigned to 3:37the other approach to this that we're 3:38going to look at is attribute based 3:40access control so with attributes we 3:42could look at a lot of different things 3:44such as what geography are you in is it 3:47us is it Europe is it uh Latin America 3:50this sort of thing uh position what kind 3:54of a position do you have within the 3:56organization uh that's another thing we 3:58could look at uh the Department that 4:00you're in uh your employment status are 4:03you a permanent full-time employee a 4:05contractor a part-timer that may affect 4:08what we give you access to are you a 4:10manager or not and what is your 4:12clearance level are you allowed to see 4:15high security High sensitivity medium or 4:18low or secret top secret that sort of 4:22thing so these are just examples of 4:24attributes you could dream up your own 4:26as well but let's take a look at what an 4:28example would be if I used attributes 4:31let's say we have an individual who 4:33wants access to a particular report and 4:35we may build an attribute based Access 4:38Control rule that says basically you 4:41have to have a clearance of high that is 4:43that you can see the most sensitive 4:45stuff you have to be a manager and you 4:47have to be in the finance department and 4:50if all of these things are true then 4:53you're given access to this particularly 4:56sensitive financial information so 4:58that's an example of this 5:01okay I just took you through an example 5:03of attribute based access control and 5:06before that we looked at role-based 5:08Access Control aback and rback which one 5:11is better well it all depends it depends 5:14on what you're trying to do if you're in 5:16an organization that is fairly 5:18hierarchical then you may find that 5:20roles naturally will sort of suggest 5:24themselves to you if however you're in 5:26an organization where that's not the 5:28case and you may need more flexibility a 5:31more dynamic system then ABAC may be 5:34better so more Dynamic probably simpler 5:38uh although you could do either of these 5:39and make them really overly complicated 5:41I've seen examples of both but I'm going 5:44to suggest to you it's not necessarily 5:46either or in fact it could be both and 5:49you could do a hybrid approach where you 5:50use both rback and aback in order to 5:53accomplish the job I might use a role as 5:56your high level to assign the attribute 6:00that you're supposed to have so they can 6:02work together let's take a look at an 6:04architectural example of how you would 6:06Implement these in the real world so 6:09let's take a user here this user wants 6:12access to a particular resource so we're 6:15going to put something to mediate Access 6:17Control access in between the two of 6:20them a security component so they come 6:22into this and we call this policy 6:25enforcement point the policy enforcement 6:28point will go up and ask another 6:30architectural component known as the 6:32policy decision point should I grant 6:35access to this user to this resource 6:38It'll ask that question and get an 6:39answer back and if the answer is yes 6:42then it allows access if the answer is 6:44no well then it blocks access fairly 6:47simple so you got a p and a PDP that are 6:50involved in this and the decision 6:52separate from the enforcement the 6:54enforcement is a simple yeah you get it 6:56or no you don't the decision is really 6:58where all the hard work goes in 7:00in fact you could use rback as the way 7:03to inform these decisions or you could 7:06use aback or again you could use both so 7:10there are advantages to both of these 7:12they don't have to be one or the other 7:14and you should choose whichever one fits 7:16best for your 7:18organization if you like this video and 7:20want to see more like it please like And 7:22subscribe if you have any questions or 7:24want to share your thoughts about this 7:26topic please leave a comment 7:28below e