“That sounds hard.” Shifting to a new way of managing access control requires a new way of thinking. But the approach is straighforward. This paper will break down the process into digestible, easy-to-implement steps as you switch to a policy-based approach, and upgrade your legacy role-based system.

In RBAC, users are assigned roles and roles assigned permissions. The use of roles and permissions makes access control more manageable. It also provides for a first tangible step towards externalized authorization However, RBAC also suffers from manageability. With the advent of the Internet, APIs, IoT, Big Data, there is an increasing need for finer-grained, context-aware authorization.

RBAC cannot provide access control based on relationships or contextual attributes such as time or location. Consequently, RBAC cannot express real-world access control policies. RBAC simply does not scale to the complexity in today’s IT environments. This is where Attribute Based Access Control (ABAC) comes in.