• ABAC : Attribute-Based Access Control
  • RBAC : Role-Based Access Control

Access control is a crucial aspect of security in software applications. Two popular models for implementing access control are Attribute-Based Access Control (ABAC) and Role-Based Access Control (RBAC). In this tutorial, we’ll delve into the concepts of ABAC and RBAC, and provide code examples to illustrate each case.

1. What is ABAC ?

ABAC is a flexible access control model that relies on attributes to make access decisions. Attributes can include user roles, resource properties, environmental conditions, and more. Let’s create a simple Python example to demonstrate ABAC:

class ABACPolicy:
    def __init__(self, user_attributes, resource_attributes):
        self.user_attributes = user_attributes
        self.resource_attributes = resource_attributes

    def check_access(self, action):
        # Check if the user has the required attributes for the action
        if self.user_attributes.get('role') == 'admin' and self.resource_attributes.get('owner') == self.user_attributes.get('username'):
            return True
        else:
            return False

Example usage of ABAC

user_attributes = {'username': 'john_doe', 'role': 'admin'}
resource_attributes = {'owner': 'john_doe', 'type': 'document'}

abac_policy = ABACPolicy(user_attributes, resource_attributes)

Check if the user can perform a specific action

if abac_policy.check_access('edit'):
    print("User has permission to edit the document.")
else:
    print("User does not have permission to edit the document.")

In this example, the ABACPolicy class takes user and resource attributes as input and checks if the user has the required attributes to perform a specific action (e.g., ‘edit’). The decision is based on both user and resource attributes.

2. What is RBAC?

RBAC is a widely used access control model that assigns roles to users, and permissions are associated with these roles. Users inherit the permissions of the roles they are assigned. Here’s a Python example illustrating RBAC:

class RBACPolicy:
    def __init__(self):
        self.roles = {'admin': ['edit', 'delete'], 'user': ['view']}

    def assign_role(self, user, role):
        # Assign a role to a user
        if role in self.roles:
            user['role'] = role

    def check_access(self, user, action):
        # Check if the user's role has the required permission for the action
        if user.get('role') and action in self.roles[user['role']]:
            return True
        else:
            return False

Example usage of RBAC

user = {'username': 'john_doe'}

rbac_policy = RBACPolicy()

Assign a role to the user

rbac_policy.assign_role(user, 'admin')

Check if the user can perform a specific action

if rbac_policy.check_access(user, 'edit'):
    print("User has permission to edit.")
else:
    print("User does not have permission to edit.")

In this example, the RBACPolicy class maintains a dictionary of roles with associated permissions. Users are assigned roles, and access decisions are based on the user’s role and the required action.

3. ABAC vs. RBAC:

Flexibility:
– ABAC is more flexible as it considers multiple attributes for access decisions.
– RBAC is rigid in comparison, as access is determined based on predefined roles.

Scalability:
– ABAC can scale well as it can handle a large number of attributes for fine-grained access control.
– RBAC may face challenges in scalability as the number of roles and permissions grows.

Complexity:
– ABAC can be more complex to implement due to the consideration of multiple attributes in access decisions.
– RBAC is often simpler to implement and manage, especially in systems with clear role structures.

Use Cases:
– ABAC is suitable for scenarios where access decisions depend on dynamic and varied attributes.
– RBAC is suitable for systems with well-defined roles and where permissions are role-specific.
– Choose the access control model that best aligns with the requirements and characteristics of your application. Each model has its strengths and weaknesses, and the choice depends on the specific use case and security needs.

4. How about coupling ABAC and RBAC with OPA ?

  • OPA : Open Policy Agent
    is a versatile policy engine that can be used to implement both Attribute-Based Access Control (ABAC) and Role-Based Access Control (RBAC). OPA policies are written in the Rego language. Let’s explore how to use OPA for both ABAC and RBAC, providing code examples for each case.

4.1. ABAC with OPA:

Policy for ABAC:

package main

default allow = false

allow {
    input.user.role == "admin"
    input.resource.owner == input.user.username
}

Python Code to Evaluate ABAC Policy:

from opa_client import OpaClient # Assuming there is an OPA client library

Example ABAC input data

abac_input = {
‘user’: {‘username’: ‘john_doe’, ‘role’: ‘admin’},
‘resource’: {‘owner’: ‘john_doe’, ‘type’: ‘document’},
}

Evaluate ABAC policy

opa_client = OpaClient()
result = opa_client.evaluate('path/to/abac-policy', abac_input)

if result['allow']:
    print("User has permission to perform the action.")
else:
    print("User does not have permission to perform the action.")

In this example, the Rego policy checks if the user has the role ‘admin’ and if the resource owner matches the user’s username. The Python code uses an OPA client to evaluate the policy with input data.

4.2. RBAC with OPA:

Policy for RBAC:

package main

default allow = false

allow {
    role_permissions[input.user.role][_]
}

role_permissions = {
    "admin": ["edit", "delete"],
    "user": ["view"]
}

Python Code to Evaluate RBAC Policy

from opa_client import OpaClient # Assuming there is an OPA client library

Example RBAC input data

rbac_input = {
    'user': {'username': 'john_doe', 'role': 'admin'},
    'action': 'edit',
}

Evaluate RBAC policy

opa_client = OpaClient()
result = opa_client.evaluate('path/to/rbac-policy', rbac_input)

if result['allow']:
    print("User has permission to perform the action.")
else:
    print("User does not have permission to perform the action.")

In this example, the Rego policy checks if the user’s role has the required permission for the specified action. The Python code evaluates the RBAC policy with input data using the OPA client.

Ensure you have the OPA client library installed and configured in your Python environment. The actual usage of OPA in your system may depend on your specific setup and OPA deployment strategy. Additionally, replace path/to/abac-policy and path/to/rbac-policy with the actual paths to your ABAC and RBAC policies in your OPA deployment.

Written by

Albert Oplog

Hi, I'm Albert Oplog. I would humbly like to share my tech journey with people all around the world.