By Gary Allemann, Managing Director at Master Data Management

Data security and access management are highly technical topics that have largely been left to the Chief Information Security Officer and his team. While the PoPIA commencement date came into effect from 1 February 2022, more stakeholders need to understand the basic access control approaches available to them. This is where Role-based Access Control (RBAC) can assist organisations to simplify the process and ensure compliance. 

What is RBAC?

RBAC restricts network or system access based on a person’s or account’s role within an organisation, and Lightweight Directory Access Protocol (LDAP) is a commonly used protocol to implement an RBAC methodology.

RBAC is intended to ensure that employees only access systems that are required for them to do their jobs. Access can be based on factors such as authority, responsibility and job competency, and access to data resources can be limited to specific tasks, such as the ability to view, create, modify or delete a file. Overall, RBAC is popular because it reduces the need to assign privileges to individuals.

However, by its nature, RBAC has some limitations that impact its use to implement protection of sensitive information, particularly in large, complex organisations. Most critically, RBAC is applied to users, not to objects or operations, and while access can be restricted to certain systems, RBAC does not limit access to data within systems.

What is ABAC?

Attribute-based Access Control (ABAC) is a model that has evolved from RBAC that addresses some of these shortcomings, and grants access based on an evaluation of the characteristics of attributes, rather than roles. A central data access policy defines which combination of a user (role) and object attributes is required for access.

The key benefit of ABAC is that data is protected at a granular level, and the model can be used to define far more complex access policies, protecting individual data elements – such as an ID Number, Credit Score, or HIV Status. However, this flexibility can be hard to manage without a centralised dynamic access management platform that can identify sensitive data and apply policies dynamically.

What is FGAC?

Fine-Grained Access Control (FGAC) is another term for ABAC as it speaks to the ability of the ABAC methodology to provide fine-grained access. RBAC can also be thought of as course grained.

Organisations can look to implement the RBAC system to meet confidentiality and privacy regulations and regulatory requirements. This is because executives and IT departments have more effective control nowadays over how data is accessed and used.