Authorization is the security mechanism by which systems and applications determine a user’s privileges and access levels while using the system. Compliant access is concerned with defining and managing the policies that control user access to data and ensuring that the access is always position appropriate. Defining and maintaining compliant access for a large organization can be a daunting task. Some types of applications and use cases are better suited to a more structured role-based approach, and others require real-time contextual decisions. RBAC, ABAC, and PBAC are three ways of managing authorization policies.
Moreover, while both have overlapping qualities, individually, each one cannot cover all the necessary aspects of access control. For optimal, dynamic support of an IT organization’s needs, systems supporting the RBAC relational modeling system's richness with the flexibility and contextual nature of ABAC/PBAC offer the best solution. To optimally provide compliant access to such a diverse IT landscape, EmpowerID delivers a unique hybrid RBAC/ABAC/PBAC authorization model.
Figure: EmpowerID’s Innovative Hybrid RBAC/ABAC/PBAC Model
EmpowerID’s sophisticated role and relationship modeling allows security architects to model the organization and its structure and policies, including segregation of duties policies to prevent undesired combinations of access. Flexible attribute-based ABAC or PBAC policies support the centralized real-time decision point for applications that can call the EmpowerID API for authorization decisions. The ABAC/PBAC engine enhances or modifies the powerful RBAC engine's decisions, allowing their use only when greater flexibility or contextual information such as risk, location, and MFA type is required. ABAC/PBAC policies are made much more potent by including the pre-calculated access results that the engine derives from complex RBAC policies that account for inheritance and even attribute-based queries.
The EmpowerID system uses
Role-Based Access Control (RBAC) is a framework designed to allow organizations to more efficiently manage permissions across applications and other protected IT resources.
The EmpowerID RBAC model is one that reflects the Resource-Based Access Control paradigm; the platform is resource-centric, not role-centric. This allows organizations to focus on what they are protecting.
EmpowerID has a three-tiered RBAC model.
Business Role: Business Role is a user-defined hierarchical container for grouping people. For more details please click here.
Management Role: Management roles are also known as functional roles. For more details please click here.
Technical Role: Technical roles are also known as resource roles or access level assignments. This is used to authorize operations performed in EmpowerID or grant native permissions to be pushed to external systems.