Contents
Who You Know versus What You Do: The Social Network of Access Control
Forget job titles and checkboxes—modern access control is going full soap opera. Meet ReBAC (Relationship-Based Access Control), the model that doesn’t just ask what you are or what you have, but who you’re connected to, how, and why that matters. It’s like Facebook, but instead of tagging friends in vacation photos, it’s deciding whether you can open a sensitive HR file. The model uses the complex connections and relationships between entities (users, resources, and permissions) to determine access.
While RBAC says: “You’re a manager, so here’s your access,” and ABAC (Atrribute Based Access Control) says: “You’re a manager with clearance level 5 on a Tuesday”.
ReBAC says “You’re a manager who mentors someone on the finance team who owns this document, so... maybe?” It’s access control with a PhD in social dynamics—and it might exactly be what today’s tangled enterprise environments need.
What is Graph-Powered Authorization?
Graph-powered authorization is also referred to as Relationship-Based Access Control (ReBAC), which is an access control model that uses the complex connections and relationships between entities (users, resources, and permissions) to determine access.
ReBAC is presented as an alternative to traditional models like Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC), particularly useful for complex access control requirements in modern enterprises.
Graph-powered authorization systems, or ReBAC, base access decisions entirely on the relationships between subjects (users) and objects (resources).
Modeling via Graphs: These relationships are modeled as a graph, composed of nodes and edges. Nodes can represent entities such as users, documents, and roles, while edges represent relationships such as "Alice has the editor role" or "Alice reports to Bob".
Access Determination: Access decisions are made by following these relationship paths within the graph. For instance, a user's ability to view a file might depend on their relationship to the folder containing the file; if they are a viewer of the folder, they can access the files within it.
Mechanism and Scalability: A typical ReBAC engine uses a tuple-based data model to represent relationships (e.g., user A has access to document B with permission C). Authorization checks are performed in real-time by traversing these relationships, offering fine-grained access control suitable for diverse use cases. This approach is optimized for low-latency and high-throughput queries, helping to ensure scalability and reliability with millisecond latency.
Benefits: ReBAC naturally handles hierarchical structures and complex permission scenarios. It helps address the limitations of RBAC, particularly role explosion (where the number of roles becomes unmanageable) and token bloat (where numerous roles embedded in authentication tokens become too large).
A managed graph database service like Amazon Neptune is considered an excellent option for implementing ReBAC because of its efficiency in modeling, storing, and querying complex relationships.
Sound similar to Risk-Adaptive Access Control (RAdAC)?
Close but not so much. Relationship-Based Access Control (ReBAC) and Risk-Adaptive Access Control (RAdAC) differ fundamentally in the basis for their access decisions—ReBAC relies on structural relationships, while RAdAC relies on real-time risk assessment.
Here’s a quick table to break it all down.
| Feature | Relationship-Based Access Control (ReBAC) | Risk-Adaptive Access Control (RAdAC) |
|---|---|---|
| Primary Basis for Decision | Structural relationships between users and resources, modeled as a graph. | The current risk environment, threats, or operational priorities. |
| Mechanism | Access decisions follow relationship paths (nodes and edges) in the graph structure. | Access permissions are adjusted dynamically based on a real-time risk assessment. |
| Core Goal | Provide fine-grained access control and efficiently manage complex access hierarchies (solving role explosion). | Ensure that security policies align with real-time threat levels and organizational requirements. |
| Implementation Focus | Graph databases and tuple-based data models optimized for relationship queries. | Requires sophisticated analytics and monitoring tools to accurately assess risks. |
| Adaptability | High flexibility in modeling complex hierarchies and permission propagation. | Conditional and context-sensitive access that responds to changes in risk context (e.g., requiring MFA if a user attempts access from a new, untrusted IP address). |
RAdAC introduces a nuanced layer to access controls by factoring in risk assessment. It allows for conditional and context-sensitive access, meaning permissions are adjusted dynamically. For instance, if a risk is detected, the system can demand multi-factor authentication (MFA) or deny access completely, even if the user has the required clearance.
While RAdAC focuses on adjusting permissions based on how dangerous the request is right now, ReBAC focuses on defining access based on who is structurally connected to what.
The goal of RAdAC is similar to that of Contextual Access Control (CAC), which is an advanced model that grants or denies access based on real-time contextual factors like location, device type, and time of access, often integrating with AI-powered risk assessments.
Similarly, History-Based Access Control (HBAC) uses historical profiles to assess potential danger or reliability, adjusting access rights based on past actions to help prevent issues like compromised accounts or fraud.
In a nutshell, ReBAC handles tricky access rules by mapping out who’s connected to what—kind of like a social network for permissions. On the flip side, RAdAC plays it by ear, checking the situation in real time and deciding if access is safe based on the current risk level.
back to more articlessecurity ABAC Attribute-Based Access Control DevSecOps Dynamic Access Fine-Grained Access Control GRC Node Nodes & Edges RAdAC ReBAC Real-time Risk Relationship-Based Access Control risk management Risk-Adaptive Access Control SecDevOps Structural Connections data model edge role explosion secure engineering security architecture token bloat tuple-based data model Structural Relationships 2024
