Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
  • AI
  • Tech
  • Cybersecurity
  • Finance
  • DeFi & Blockchain
  • Startups
  • Gaming
Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
Dataconomy
No Result
View All Result

Managing data access (RBAC, ABAC) in a fast-growing company

byEditorial Team
July 5, 2024
in Industry
Home Industry

Have you ever thought about who has access to your confidential information? What are the conditions for giving access? Given the recent data leaks, these questions are particularly relevant: according to a recent report by Statista, in the third quarter this year, approximately  422.61 million data records were compromised.

As we can see, protecting data access in fast-growing companies is a task of exceptional importance and difficulty, as security and operational agility must be maintained at a high level. The article describes two types of access control: RBAC (Role-Based Access Control) and ABAC (Attribute-Based Access Control). To explain the distinction, we consulted with an expert, Tafida Balarabe, a Senior Data Analyst at Revolut.

Definitions of RBAC

RBAC grants permissions based on roles, such as data analysts, software engineers, or HR managers. Tafida says, “This process is centralised, easy to follow, and suitable for stable organisational structures.”

Stay Ahead of the Curve!

Don't miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.

However, Tafida argues that in fast-growing environments, RBAC is less effective than ABAC. The reason is that RBAC might result in a “role explosion” when there are too many roles required to handle temporary assignments, for example, when an HR manager needs access to financial reports for just a month, in addition to the permanent roles.

Therefore, it is difficult to adapt RBAC for new tasks and modify or revoke access, which is a significant disadvantage for scaling companies. “Data analysts at fintech companies often collaborate with compliance teams to build KYC/KYB models that set alerts for suspicious client behaviour, and shared access is mandatory”, the expert explains. Another drawback of RBAC is that, in real-life scenarios, access often depends on nuanced conditions, such as data sensitivity or work location. Granting access is not as simple as this policy implies.

Definitions of ABAC

ABAC is designed to make access decisions based on attributes, which are metadata about the user, the action, and the context (time, location, and work device). “Imagine a data analyst working with a particular city. In this case, the geographic region is a filter that allows the specialist to access information only about that specific location,” Tafida says.

“The power of ABAC lies in its architecture,” Tafida explains. “When someone requests access, the system uses what we call a Policy Decision Point – essentially the ‘brain’ that evaluates all the attributes against the rules. Then a Policy Enforcement Point acts as the ‘gatekeeper’ that actually grants or denies access based on that decision.”

Building on the previous point, Tafida notes that high-regulation industries, such as finance, benefit from ABAC’s capability to consider device, location, and working hours when granting permission. This tool enhances data protection by stipulating that permissions are only granted under controlled conditions.

“ABAC is more flexible and suitable for fast-growing companies; however, managing attributes can be difficult”, the expert concludes about the ABAC control. Hence, it is necessary to ensure that attributes are up-to-date. Incorrect or outdated information can lead to blocking access or, conversely, granting it to undesired roles.

How to integrate both policies

“It is possible to integrate both RBAC and ABAC policies, and many companies use the hybrid approach”, the expert points out. For example, RBAC is useful for broad permissions – all data specialists are allowed to access Looker, Tableau, or Power BI. Further, ABAC considers attributes and grants permissions accordingly. “A great example of the hybrid access control is a finance manager who can view reports only during working hours from a corporate IP address”, Tafida shares. This approach simplifies administration and gives access to targeted data.

Considerations and pitfalls

“There are several factors to consider before setting up both RBAC and ABAC, as the process isn’t always straightforward”, Tafida mentions, highlighting the following considerations:

  • Ensure users and systems have up-to-date attribute values.
  • Implement lifecycle entry and decision policies for reviewing and deleting
  • Do not hesitate to use modern tools, such as visualising policy flows and automating policy suggestions based on access logs, for defining and reviewing policies.

Control strategy guideline

After the bottlenecks are addressed, a company can begin implementing RBAC and ABAC. The expert shares his step-by-step guide:

  1. Start with the RBAC and define core roles or broad functions that can be set manually.
  2. Find attributes at the department and manager levels, resource attributes (type, owner), and contextual variables (time, geolocation, IP).
  3. Expand the RBAC policy with ABAC, following the if-then For example, if a data analyst accesses an internal database within working hours, they are granted permission. Otherwise, they are denied.
  4. Adjust attributes according to the changes in the workflow or roles.

Conclusion

“In a fast-growing environment, it is best to use both RBAC and ABAC,” Tafida says. “RBAC alone is not enough, but it is a good foundation for further settings with ABAC”, the expert adds to the conclusion.

Featured image

Tags: trends

Related Posts

Anthropic raises b series F, valuation at 3b

Anthropic raises $13b series F, valuation at $183b

September 3, 2025
Amazon paused Google Shopping ads for 31 days

Amazon paused Google Shopping ads for 31 days

September 2, 2025
xAI sues former engineer to stop him from joining OpenAI, alleging theft of Grok trade secrets

xAI sues former engineer to stop him from joining OpenAI, alleging theft of Grok trade secrets

September 2, 2025
Huawei aims to surpass 6 billion revenue in 2025, fueled by 5G chip growth and massive R&D

Huawei aims to surpass $126 billion revenue in 2025, fueled by 5G chip growth and massive R&D

September 2, 2025
Who are Nvidia’s mystery mega-buyers?

Who are Nvidia’s mystery mega-buyers?

September 2, 2025
AI reveals what doctors cannot see in coma patients

AI reveals what doctors cannot see in coma patients

September 1, 2025

LATEST NEWS

Is Grok 5 a revolution in AI or just Elon Musk’s latest overhyped vision?

ICMP: Gemini, Claude and Llama 3 used music without any license

YouTube Premium cracks down on out-of-home family plans

J-ENG unveils 7UEC50LSJA-HPSCR ammonia ship engine

Judge rules Google won’t have to sell Chrome browser

ShinyHunters uses vishing to breach Salesforce data

Dataconomy

COPYRIGHT © DATACONOMY MEDIA GMBH, ALL RIGHTS RESERVED.

  • About
  • Imprint
  • Contact
  • Legal & Privacy

Follow Us

  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
No Result
View All Result
Subscribe

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.