RBAC vs ABAC
AWS Verified Permissions and Cedar support both Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). Understanding when to use each pattern is key to building flexible, maintainable authorization systems.Overview
RBAC
Role-Based Access ControlAccess decisions based on user roles (Admin, Analyst, Auditor)Pros:
- Simple to understand
- Easy to manage
- Matches organizational structure
- Less flexible
- Can lead to role explosion
- Coarse-grained control
ABAC
Attribute-Based Access ControlAccess decisions based on attributes (department, clearance level, classification)Pros:
- Very flexible
- Fine-grained control
- Scales to complex scenarios
- More complex to reason about
- Requires more planning
- Needs attribute management
Cedar’s Power: You don’t have to choose! Cedar lets you combine RBAC and ABAC in the same policy for maximum flexibility.
RBAC: Role-Based Access Control
RBAC grants permissions based on what role a user has. It’s the traditional approach used by most applications.Pure RBAC Example
This policy allows any Auditor to read any document:- Decision based solely on role membership
- No attribute checks
- All Auditors get the same permissions
- Simple to understand and manage
How RBAC Works in Cedar
Common RBAC Patterns
- Admin Access
- Role-Specific Actions
- Multiple Roles
ABAC: Attribute-Based Access Control
ABAC grants permissions based on attributes of the user, resource, action, or environment. It’s more flexible but requires more careful design.Pure ABAC Example
This policy allows access only if departments match:- Decision based on attributes, not roles
- Works for any user regardless of role
- Dynamic based on context
- Can express complex business rules
Attribute Types
ABAC policies can check different types of attributes:- Principal Attributes
- Resource Attributes
- Relational Attributes
- Context Attributes
Attributes of the user making the request:Examples:
principal.departmentprincipal.clearance_levelprincipal.emailprincipal.title
Common ABAC Patterns
- Same Department
- Clearance Level
- Complex Conditions
- Negative Conditions
Hybrid: RBAC + ABAC
The most powerful approach is combining RBAC and ABAC. This gives you the organizational clarity of roles with the flexibility of attribute-based rules.Hybrid Example from Demo
This policy uses both role membership and attribute comparison:- RBAC part:
principal in FinancialApp::Role::"Analyst"- Only Analysts get this permission
- ABAC part:
principal.department == resource.department- But only for documents in their department
More Hybrid Patterns
- Role + Clearance
- Role + Multiple Attributes
- Multiple Roles + Attributes
Demo Scenario Breakdown
Let’s analyze each demo policy by RBAC/ABAC classification:Act 2: AllowAnalystReadOwnDepartment
Type: Hybrid (RBAC + ABAC)RBAC: Uses role to identify Analysts
ABAC: Uses department attribute to limit scope
Benefit: Clear role definition with fine-grained control
ABAC: Uses department attribute to limit scope
Benefit: Clear role definition with fine-grained control
Act 3: AllowAuditorReadAll
Type: Pure RBACRBAC: Only uses role membership
ABAC: None
Benefit: Simple, easy to understand and manage
ABAC: None
Benefit: Simple, easy to understand and manage
Act 4: ForbidAuditorModify
Type: Pure RBACRBAC: Only uses role membership
ABAC: None
Benefit: Clear restriction based on job function
ABAC: None
Benefit: Clear restriction based on job function
When to Use Each Pattern
- Use RBAC When
- Use ABAC When
- Use Hybrid When
Scenario 1: Simple organizational permissionsAll admins get full access. No conditions needed.Scenario 2: Job function permissionsAuditors need read access to do their job. Role defines capability.When RBAC works best:
- Permissions align with organizational roles
- Everyone in a role needs the same access
- Simple permission model
- Easy for non-technical stakeholders to understand
Comparison Table
| Aspect | RBAC | ABAC | Hybrid |
|---|---|---|---|
| Complexity | Low | High | Medium |
| Flexibility | Low | High | High |
| Maintenance | Easy | Complex | Medium |
| Scalability | Role explosion | Scales well | Scales well |
| Performance | Fast | Slightly slower | Medium |
| Auditability | Easy | Complex | Medium |
| Business Alignment | High | Medium | High |
| Best For | Simple orgs | Dynamic rules | Most apps |
Migration Path: RBAC → Hybrid → ABAC
If you’re starting with RBAC and want more flexibility:Best Practices
Use roles for job functions, attributes for data access
Use roles for job functions, attributes for data access
Roles should represent what someone does (Analyst, Admin, Auditor). Attributes should control what data they can access (department, clearance level).Good:Avoid:
Creating roles like “FinanceAnalyst”, “HRAnalyst”, “SalesAnalyst” - use one Analyst role + department attribute instead.
Keep role hierarchies flat
Keep role hierarchies flat
Cedar doesn’t have built-in role hierarchy. Keep roles simple and use policies to define relationships.Instead of:
- Admin > Manager > Analyst (hierarchy)
- Separate policies for each role
- Use attributes to distinguish levels
Design attributes for reusability
Design attributes for reusability
Attributes should be reusable across multiple policies.Good:
Avoid:
department, clearance_level, classificationAvoid:
can_read_finance_docs, is_senior_analyst (too specific)Document the authorization model
Document the authorization model
Start simple, add complexity as needed
Start simple, add complexity as needed
Begin with RBAC. Add ABAC only when you need it. Don’t over-engineer from the start.
Next Steps
Policy Examples
See complete RBAC, ABAC, and hybrid policies from the demo
Schema Definition
Review the entity types and attributes that enable RBAC and ABAC
Policy Overview
Learn Cedar policy language fundamentals
Deploy Demo
Try RBAC and ABAC policies yourself in the live demo