55 E. Monroe St.
Chicago, Il. 60603, USA
Why is fine-grained access control important?
Fine-grained access control is important because it changes the rules of static authorization and enables secure sharing of many more sensitive information assets. However, this does require an effective and proven fine-grained authorizatio tool such as Axiomatics dynamic data masking solution. This can be best explained through an example.
Imagine an archive where entries about clients are maintained. Most of the actual body text should be shared with staff members across different job functions. However, sensitive meta data about individual clients cannot be viewed by users who do not have the required authorization.
Unless the authorization system is fine-grained enough to filter out these details, all of the entries will have to remain undisclosed to protect the integrity of the data. Without the ability to filter out sensitive details or entire entries based on fine-grained conditions, the information will not be made available for sharing. If permissions can only be set on a directory level, the entire directory would remain off-limits even if it only contains one of several hundred documents for which a user lacks authorization.
How does fine-grained authorization enable secure information sharing?
Fine-grained authorization allows rich business rules and authorization policies to be enforced. Policy writers can create complex rules and policies that contain multiple conditions relating to time, location, role, action, and more, and these will be enforced. Rich, fine-grained controls can also be applied within a single resource.
Let’s look at a typical example of fine-grained access control of a business rule. This could be at any of our insurance company clients as it concerns assets stored in tables:
Coarse-grained vs fine-grained access controls
Choosing when to use coarse-grained and when to use fine-grained authorization is similar to deciding when to use RBAC or ABAC. However, RBAC and fine-grained access control can be combined when roles are the only condition applied to access, but the shared resources needs to be masked, as in the above example from an insurance company.