A long-standing debate in the IT community has been whether Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC) is a better model for authorization management. The one thing that everyone can agree on is that, whatever the model, authorization logic should be created and maintained external to the application and not managed uniquely within each application.
In this white paper, we discuss the RBAC versus ABAC models for authorization, lay out the benefits and weaknesses of each approach and offer a real-time RBAC/ABAC hybrid model that retains the advantages of each while avoiding their major weaknesses.
