RBAC and ABAC

Understanding Role-Based and Attribute-Based Access Control in Azure/Entra ID.

AzureSecurityIdentityAccessEntra

Azure Access Control Models

Understanding Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) in Azure/Entra ID. These models are fundamental to implementing secure Azure AD synchronization.

Role-Based Access Control (RBAC)

The Concept

RBAC manages who can do what by grouping permissions into roles. You define roles, attach permissions to each role, and assign roles to users. Access is decided by a user's role rather than by setting permissions one person at a time.

Example Breakdown

  • Roles: named groups such as Admin, Editor, Viewer
  • Users: team members, each assigned one or more roles
  • Permissions: the actions a role allows, such as read, write, or delete

Advantages

  • Simplicity: assign people to roles, and roles to permissions.
  • Scalability: onboarding is just assigning new people to existing roles.

Disadvantages

  • Rigidity: less flexible. One-off access needs often mean creating new roles, which can multiply over time.

Example

Jane is a Content Editor.

  • Jane (the user) is assigned the Editor role.
  • Editor lets her create and edit content but not delete it.

Jane can do her work without requesting new permissions from IT for each task.

Attribute-Based Access Control (ABAC)

The Concept

ABAC makes access decisions from attributes rather than roles alone. Those attributes can describe the user, the resource, the environment, or the action being attempted.

Example Breakdown

  • Attributes: Details about the user (e.g., department), resource (e.g., data sensitivity), action (e.g., read), and environment (e.g., time of day).
  • Policies: rules that combine attributes to decide whether to grant access.

Advantages

  • Flexibility: fine-grained control over exactly who gets access and when.
  • Context-aware: decisions can factor in conditions like time of day or location.

Disadvantages

  • Complexity: harder to set up and maintain than RBAC.
  • Performance: All that number-crunching could slow things down.

Example

Meet John. He's the Manager of Finance.

  • Attributes: {role: Manager, department: Finance}
  • Policy: "Let this user view financial reports if they're a Finance Manager and it's during the day shift (9 AM to 5 PM)."

John sees those reports only when every attribute in the policy matches.

Summary

RBAC

Preset roles assigned to users. Best for straightforward setups.

ABAC

Policies built from attributes. Best when access needs to depend on context and fine detail.

Back