KuppingerCole Report
Advisory Note
By Dan Blum

Unifying RBAC and ABAC in a Dynamic Authorization Framework

Mastering authorization is critical for modern organizations with multiple user constituencies, applications, and data types. Groups are necessary but not sufficient in complex environments. Roles are handy for adding manageability and assurance to coarse- or medium-grained authorization but break down in the face of dynamic environments or complex access policies. Attribute-based access control (ABAC) has gained adherents, but is in fact just another piece of the puzzle. In this note, KuppingerCole will unfold the dimensions of a unified authorization framework incorporating all of the above and more.

1 Management Summary

Dynamic authorization in complex enterprise IT environments is one of the most challenging parts of identity and access management (IAM) and informati ...

Login Get full Access

2 Highlights

  • Organizations with a mix of medium- to high-risk custom, COTS, and SaaS applications often struggle with authorization
  • Conventional group and role ...
Login Get full Access

3 Authorization Challenges

Many large, established organizations operate diverse portfolios of custom-developed, commercial off-the-shelf (COTS), and software-as-a-service (SaaS ...

  • Billions of entitlements may be required for thousands of people (or subjects) times millions of data elements.
  • Complexity grows when subjects mus ...
Login Get full Access

4 Authorization Requirements for the Future State

Amidst the fast-moving zeitgeist of the digital transformation, running a competitive company, effective government agency, or university requires con ...

Login Get full Access

4.1 Types of Authorization

Different types of authorization are required:

Initial Authorization: There is a difference – and an overlap – between authentication and autho ...

Login Get full Access

5 Authorization Frameworks

Many vendors will claim they have the solution to the authorization challenge. Directory vendors offer a consolidated directory to store groups; provi ...

  • Governance: Admin time authorization management sets policy, handles access requests or access reviews, and provisions access.
  • The policy models ...
Login Get full Access

5.1 Policy Models

Done properly, governance and runtime authorization come together in the policy models. Authorization policy models structure the actual criteria used ...

Login Get full Access

5.1.1 Groups

Access control groups are data structures containing a list of named users. Typically, a group also has one or more users defined as its owner. The fo ...

Login Get full Access

5.1.2 Role-Based Access Control (RBAC)

A role is a type of attribute describing what a user does in an organization or an application. RBAC is the name for various methodologies for using o ...

Login Get full Access

5.1.3 Attribute-Based Access Control (ABAC)

The ABAC model proposes a “unified field” for authorization policy models. In ABAC, all the following types of data are modeled as attributes:

  • Su ...
Login Get full Access

5.1.4 Entitlements and Entitlements Sets

Entitlements are data items tracked to record what a subject can do with, or to, a resource, such as an file or applicastion data object. The term “ ...

Login Get full Access

5.1.5 Access Policy Expressions (Rules)

Access policy expressions are rules that are used to evaluate attributes (including roles, group memberships, resource attributes, etc.) in an authori ...

Login Get full Access

5.2 Runtime Authorization

Runtime authorization is the real-time access policy enforcement at a gateway or resource level. Authorization decisions are made using policy model a ...

Login Get full Access

5.2.1 Patterns

Table 1 lists typical types of runtime authoriztion patterns. Many of these patterns can be composed or combined in real-world use cases. For example, ...

Figure 4 depicts a basic „enterprise (web) application using PIP“ authorization pattern. After a PEP authenticates the user (typically using a log ...

The other runtime authorization patterns in Table 1 come into play when multiple IAM domains interact, when applications interact via APIs, and betwee ...

Login Get full Access

5.3 Admin Time Authorization

Access policy data must be created and managed for use in runtime authorization. Admin time authorization is the “access management” portion of IA ...

Login Get full Access

6 Putting the Pieces Together

Optimal authorization solution can be developed to meet complex requirements using a hybrid of RBAC and ABAC supported by appropriate admin time and r ...

Login Get full Access

7 Recommendations

KuppingerCole recommends organizations with a mix of medium- to high-risk custom, COTS, and SaaS applications follow the guidance in this Note to deve ...

Login Get full Access

8 Conclusion

A dynamic authorization architecture combines RBAC, ABAC, and multiple admin time and runtime authorization patterns to create a flexible platform for ...

Login Get full Access


©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.