According to many leading industry experts including Gartner and the US National Institute of Standards and Technology (NIST), Attribute-Based Access Control (ABAC) is now considered the gold-standard best practice for controlling access to technology systems.
ABAC allows access to information and systems to be based on criteria which a person must meet in order to gain access to a resource. Instead of granting access to a system to James, Taraji, and Aiden, we can grant access to anyone with ‘Role=Manager and Office=Paris’. Anyone meeting both those criteria will automatically get access, anyone who doesn’t meet both criteria will not get access, and access is updated automatically as people’s roles and offices change.
This means we don’t have to think of everyone who needs access, grant it manually, and maintain it as the business changes over time using countless long lists of names. By removing the need for manual configuration and maintenance, ABAC is a far more scalable and precise way to control access to important resources.
At Torsion, we call ‘Role=Manager and Office=Paris’ a Security Rule. It is essentially a description of the business reason why a person should receive access to something. It replaces the need for a list of named individuals who should receive access. We simply enable data owners to specify the reasons why people should have access to their data and then we automate the rest.