A Hybrid Access control Model:RBAC+ABAC

Access control decisions for business are no longer about permission to allow and deny. When Roles were introduced way back in 90’s, there was nothing like internet of things and the whole technology advancements we see in todays world. In 90’s Business operated in silo’s, there was minimal collaboration. Now in 2015 in a globalized world, if you are still sticking to the role based model, It is about the time you might want to rethink.

An access control decision is made based on multiple factors.

How can you apply the above contextual information to make access control decisions, JUST by using Role Based model?

This is a typical question that I pose for most of our prospect customers.  The answer I hear back from them often is                                                                #1 Customization  #2 More Roles …. More … More & More Roles

Solution:

With SAP GRC new product offering SAP Dynamic Authorization management (SAP DAM), customers now have an option to choose from Customization, More Roles…More Roles/ SAP DAM.

SAP DAM access control model is a Hybrid of RBAC+ABAC.

• RBAC stands for Role based access control model
• ABAC stands for Attribute based access control model

In an RBAC model the PRIMARY roles defined would allow or deny the users at Transaction Code level.In an ABAC model we take the subject, environment, resource and action performed as attributes to make access control decisions at Org level.

A combination of RBAC+ABAC, becomes a very powerful access control tool for security administrators. The reason being  business can now make Fine Grained Dynamic attributes based access control decisions without any customization/ adding more and more roles. This is how the hybrid model works

With SAP DAM offering,SAP GRC gave a new dimension to streamline how we traditionally have been making access control decisions.

Anand Kotti