Have you ever thought about who has access to your confidential information? What are the conditions for giving access? Given the recent data leaks, these questions are particularly relevant: according to a recent report by Statista, in the third quarter this year, approximately 422.61 million data records were compromised.
As we can see, protecting data access in fast-growing companies is a task of exceptional importance and difficulty, as security and operational agility must be maintained at a high level. The article describes two types of access control: RBAC (Role-Based Access Control) and ABAC (Attribute-Based Access Control). To explain the distinction, we consulted with an expert, Tafida Balarabe, a Senior Data Analyst at Revolut.
Definitions of RBAC
RBAC grants permissions based on roles, such as data analysts, software engineers, or HR managers. Tafida says, “This process is centralised, easy to follow, and suitable for stable organisational structures.”
However, Tafida argues that in fast-growing environments, RBAC is less effective than ABAC. The reason is that RBAC might result in a “role explosion” when there are too many roles required to handle temporary assignments, for example, when an HR manager needs access to financial reports for just a month, in addition to the permanent roles.
Therefore, it is difficult to adapt RBAC for new tasks and modify or revoke access, which is a significant disadvantage for scaling companies. “Data analysts at fintech companies often collaborate with compliance teams to build KYC/KYB models that set alerts for suspicious client behaviour, and shared access is mandatory”, the expert explains. Another drawback of RBAC is that, in real-life scenarios, access often depends on nuanced conditions, such as data sensitivity or work location. Granting access is not as simple as this policy implies.
Definitions of ABAC
ABAC is designed to make access decisions based on attributes, which are metadata about the user, the action, and the context (time, location, and work device). “Imagine a data analyst working with a particular city. In this case, the geographic region is a filter that allows the specialist to access information only about that specific location,” Tafida says.
“The power of ABAC lies in its architecture,” Tafida explains. “When someone requests access, the system uses what we call a Policy Decision Point – essentially the ‘brain’ that evaluates all the attributes against the rules. Then a Policy Enforcement Point acts as the ‘gatekeeper’ that actually grants or denies access based on that decision.”
Building on the previous point, Tafida notes that high-regulation industries, such as finance, benefit from ABAC’s capability to consider device, location, and working hours when granting permission. This tool enhances data protection by stipulating that permissions are only granted under controlled conditions.
“ABAC is more flexible and suitable for fast-growing companies; however, managing attributes can be difficult”, the expert concludes about the ABAC control. Hence, it is necessary to ensure that attributes are up-to-date. Incorrect or outdated information can lead to blocking access or, conversely, granting it to undesired roles.
How to integrate both policies
“It is possible to integrate both RBAC and ABAC policies, and many companies use the hybrid approach”, the expert points out. For example, RBAC is useful for broad permissions – all data specialists are allowed to access Looker, Tableau, or Power BI. Further, ABAC considers attributes and grants permissions accordingly. “A great example of the hybrid access control is a finance manager who can view reports only during working hours from a corporate IP address”, Tafida shares. This approach simplifies administration and gives access to targeted data.
Considerations and pitfalls
“There are several factors to consider before setting up both RBAC and ABAC, as the process isn’t always straightforward”, Tafida mentions, highlighting the following considerations:
- Ensure users and systems have up-to-date attribute values.
- Implement lifecycle entry and decision policies for reviewing and deleting
- Do not hesitate to use modern tools, such as visualising policy flows and automating policy suggestions based on access logs, for defining and reviewing policies.
Control strategy guideline
After the bottlenecks are addressed, a company can begin implementing RBAC and ABAC. The expert shares his step-by-step guide:
- Start with the RBAC and define core roles or broad functions that can be set manually.
- Find attributes at the department and manager levels, resource attributes (type, owner), and contextual variables (time, geolocation, IP).
- Expand the RBAC policy with ABAC, following the if-then For example, if a data analyst accesses an internal database within working hours, they are granted permission. Otherwise, they are denied.
- Adjust attributes according to the changes in the workflow or roles.
Conclusion
“In a fast-growing environment, it is best to use both RBAC and ABAC,” Tafida says. “RBAC alone is not enough, but it is a good foundation for further settings with ABAC”, the expert adds to the conclusion.