Evolution of Access Control: a bit of RBAC and ABAC history

Access control never sleeps. It evolves, changes, moves. That's one of the reasons it is such a fascinating field (and why we love it so much!). As the digital landscape around us continues to grow more complex and dynamic, our approach to securing it (and its assets) must keep up.? ??

It is no longer enough to just secure and fortify your own organization and protect what is inside of it; the modern world requires extending that fortification to our interconnected supply chains and networks—it is about contributing to securing the ecosystem that surrounds you. And that asks for a holistic and resilient approach to access control. ?

The evolution of access control reflects that. We started with the Discretionary Access Control (DAC) systems of the 1970s and saw the first instances of Role-Based Access Control (RBAC) by the late 1980s and early 1990s, formalizing access through predefined roles. Then, in response to businesses and organizations becoming more global, dynamic, and interconnected, we saw the introduction of Attribute-Based Access Control (ABAC), offering more flexibility and fine-grained rules to control access, with the potential to power future zero-trust access control models. ?

Let's dive a little deeper into all of that! ? ??

Evolution of access control: a bit of history? ??

Once upon a time ... securing access was as simple as locking a door to a room full of precious items. Physical security—keys, guards, and barriers—was enough. However, as the digital world grew and computing took a more center stage, securing access to valuables in the non-physical domain became just as critical. In the 1970s, Discretionary Access Control (DAC) emerged, where users could decide who could access their files—in some ways, sort of similar to lending out a key. Around that time, Access Control Lists (ACLs) offered a more structured method for defining permissions.? ??

Also interesting: Vlot toegangsbeheer begint bij helder IAM-eigenaarschap?

Moving into the 1990s, Role-Based Access Control (RBAC) came around. This framework started becoming standard for enterprises, enabling permissions to be assigned based on job roles. Initially brought to life on traditional, centrally managed mainframes and midrange computers (where the computer was the network), RBAC also proved effective in networked infrastructures (where the network was the computer) when local area networks were built using the concept of roles, groups and authorization profiles.? ??

By the 2010s, businesses became more dynamic, and ABAC was introduced, enabling organizations to factor in more nuanced, context-based rules for access control, taking into account parameters?like time, location, and device.? ??

On Role-Based Access Control (RBAC) ? ??

Role-Based Access Control (RBAC) emerged as a solution to organizational IT systems' growing complexity, scale, and security demands. Earlier access control systems tied permissions to people, an approach that was no longer sustainable for organizations that started to deal with larger workforces and growing numbers of identities needing access. RBAC simplified access management by tying permissions to specific organizational roles rather than individuals. That provided some of the consistency, efficiency, and security businesses needed to manage increasing numbers of users and devices.? ??

This access control framework further provided -and still provides- a manageable, practical step towards getting and staying in control of the 'who has access to what?'-question. Especially in larger organizations (think ~ 500+) with complex IT environments and strict regulatory requirements, it helps to streamline access control and reduce the risk of unauthorized access while improving operational efficiency. ? ? ???

Now, on Attribute-Based Access Control (ABAC)? ??

With Attribute-Based Access Control (ABAC) access control frameworks started to become more flexible by considering contextual factors (like time, location, and device) along with user attributes in access decisions. Also, it could adapt and adjust to contexts and situations and grant access based on more dynamic, fine-grained criteria rather than just roles.?In fact, ABAC can use the RBAC concept of roles, as roles can be treated as attributes of users.???

As organizations grow and IT environments become more complex, ABAC's dynamic nature can prove to be helpful in navigating that complexity. It allows for making situation-specific decisions in fast-moving organizations with a lot of sensitive data and thus robust and solid yet flexible and dynamic access control requirements. ?

It can complement RBAC by providing the flexibility needed to adapt to today's fast-paced, ever-changing business environment. If integrated with RBAC, ABAC can offer deeper insight and more granular control over access, helping organizations manage the complexities of modern business while maintaining compliance and agility.???

Note: Integrating ABAC into RBAC can be complex if the architectural components required for ABAC (think federated architecture model based on protocols such as SAML and OpenID Connect) are not present in existing applications or systems. In legacy environments, for example, dynamic access control (e.g., ABAC, and PBAC) almost always needs customization, such as the addition of APIs and API access. More on that ... coming soon.???

RBAC & ABAC: 1+1=3? ??

You may feel that you should choose between RBAC and ABAC. Yet, combining both can actually be a powerful and robust access control strategy!? ??

You may feel as if you should choose between Role-Based and Attribute-Based Access Control. But combining them can be a smart and robust access control strategy. ?

Think of access control in this instance as a Swiss army knife. RBAC is the solid, reliable, durable steel frame, a foundation for structure and security. ABAC, then, adds handy little gadgets based on and tailored to your contextual requirements and customization needs. This addition makes the knife agile and adaptable, ready to handle any challenge or, in our case, any access complexity. ?

Establishing RBAC foundations first helps to manage roles and permissions effectively. Then, layering ABAC into it adds fine-tuned context-sensitive access features, creating a dynamic access control system. One that is as robust, resilient, and responsive as that Swiss army knife. Such a hybrid approach gives the tools to improve security, agility, and compliance across dynamic, interconnected, and complex IT landscapes.? ??

And we need such hybrid approaches, as ABAC for example cannot always be implemented on its own. It requires a different access control environment, unlike those offered by traditional applications with an internal RBAC structure. So, unless, as mentioned before, these applications can be accessed via APIs in a federated style, it can be hard to move beyond RBAC. ??

Note: You may wonder, “But what about the other BACs?! Policy, for example?”—and you would be right. For now, though, we will stick to RBAC and ABAC and save other access control frameworks for next time.? ? ?

Access control as strategic business accelerator ? ??

Access control will continue to evolve and move towards more automated concepts and frameworks, away from manual effort (so-called 'Excel-Based Access Management). We're seeing trends, innovations, and technologies (AI, machine learning, PBAC frameworks, Zero-Trust, etc.) that may continue shaping access control systems to further enable secure, seamless operations across increasingly interconnected networks. Ultimately, these advancements could further enhance security and operational efficiency, reduce risk, and better support scalable growth. ?

What's next??

First things first! No fortress without a foundation. Fixing the (RBAC) basics is a good number-one priority to have on your access control to-do list. From there, you can evolve your access control system to further meet the demands of our fast-paced, dynamic world.?Perhaps you're already well on your way, maybe you're getting up to speed - we're here to help. Feel free to reach out, and let's talk! ??