|
| Access control mechanism |
Feature | Role-based access control (RBAC) | Attribute-based access control (ABAC) |
|
Access control granularity | Coarse-grain access control | Fine-grain access controls |
|
User addition mechanism | Creating access control groups defined as roles with presetup privileges. Users can be added into the group for their desired access privileges. | Users are assigned attributes to describe their properties. The access control system needs to focus on the required access control policies that are described by a set of attributes to check the user’s privileges to decide if the access should be granted or not. |
|
Structure of access policy | Policies are assigned (operation/object pairs) to groups before the access request is made. | Using Boolean rule structure to express the policies. |
|
The input of authorisation decisions | Users are assigned to roles and inherit the permissions assigned to the roles they have. Roles are often organised in a role hierarchy, which defines the inheritance of permissions between roles. | They are used as input for authorisation decisions with many criteria, such as department, job code, time of day, IP address, and user location. |
|
Decision level | Only related to functionality | Relate to access in both the data level and the field level, but also to functionality. |
|
Access level | Do not allow access for nonemployees to organisation assets. | Allow limited access for third parties to organisational assets. |
|
Model status | One of the main problems is that it is not an automatic model, needs to be painstakingly managed, and often involves significant manual intervention. The role-based mechanism, by itself, is inadequate to address the dynamic requirements of cloud-based IoT. | The ABAC model is a dynamic model. The system dynamically deploys access control by using attributes, i.e., a flexible access control approach. |
|