Skip to main content
IAM vs. CIAM CIAM Buyer's Guide Contact Us
Janrain respects your privacy and will treat the personal data you choose to share with us in accordance with our privacy policy.

Identity Q&A

How do role-based access control and attribute-based access control compare?

In role-based attribute control (RBAC), the user’s role defines what they can access. For example a doctor can access all the medical files for her patients, but the receptionist cannot. 
In attribute-based access control (ABAC), one or more profile attributes can be used to make a context-aware access decision. For example, for a patient whose age is below 18, his parent may access certain patient medical files without prior permission. When the patient passes his 18th birthday, neither his role nor his parent’s role changes, but his age attribute does change, resulting in reduced access for his parents. 
Over time, role-based access control lists can become bloated and a source of inherent risks to the organization (e.g., group policies). In contrast, attribute-based access controls tend to be more flexible, secure and easier to author.
Gartner predicts that ABAC will be used by 70% of enterprises by 2020, replacing RBAC as the dominant mechanism to protect critical assets.