Fine-grained data access control is a sophisticated system that focuses on meticulous management of permissions and privileges.
It empowers organisations to exert precise control over who can access their data, extending to the level of individual rows or even specific columns within datasets. Here we explore the historical progression of fine-grained access control, delve into its various aspects, and address the challenges associated with it.
The Evolution: Role-Based Access Control (RBAC)
One of the foundational approaches to data access control is Role-Based Access Control (RBAC). This methodology revolves around assigning data access permissions based on an individual's role within an organisation. It simplifies access management by categorising users into predefined roles and defining the privileges associated with each role.
However, RBAC has inherent limitations — primarily its static nature. As an organisation grows and diversifies, managing an ever-expanding list of user roles becomes increasingly complex. This is especially evident when a manager requires access to data from multiple states or regions. In such cases, creating separate roles for each unique combination quickly leads to what experts call "role explosion."
An independent technology research firm, GigaOm, found that RBAC requires 93 times more policy changes compared to attribute-based access control to meet the same security requirements — highlighting the inherent inflexibility of the RBAC approach.
Attribute-Based Access Control (ABAC)
As organisations grappled with the limitations of RBAC, a new paradigm emerged — Attribute-Based Access Control (ABAC). ABAC represents a shift towards fine-grained access control by permitting or restricting data access based on a multitude of attributes assigned to users, objects, actions, and environmental variables.
ABAC offers a far more dynamic approach to data security than RBAC. Instead of being tied to predefined roles, access decisions in ABAC are based on specific attributes of the data and the attributes of the user requesting access. Key attribute types include:
- User attributes — pieces of information about a data user, such as name, title, department, and permission level
- Object attributes — data traits including creator, type, creation date, and sensitivity level
- Action attributes — what is being done to the data (reading, editing, approving, deleting)
- Environmental attributes — contextual information including location, date of access, and threat level
In ABAC, a single policy can be created using a user attribute called "user_state" to enable access to data only when the state attribute matches the user's state attribute — elegantly replacing dozens of RBAC roles with one dynamic rule.
Fine-Grained Access Control in Today's Landscape
In today's data landscape, where information is increasingly moving to the cloud and various data types with varying sensitivity levels are consolidated, fine-grained access control takes on paramount importance. Fine-grained access control allows organisations to configure varying degrees of access rather than placing data into binary "permitted" or "forbidden" categories.
It enables dynamic data masking — such as revealing only the last four digits of an account number while redacting the rest, or hashing sensitive values. It also empowers users to view data through aggregations like sums and averages on specific columns instead of individual data values. This approach champions data democratisation by eliminating the frustration that arises when someone needs access to certain dimensions of data but cannot obtain it due to overly restrictive permissions.
Fine-grained access control proves invaluable when granting access to third-party service providers — a task nearly impossible with coarse-grained authorisation methods. It allows conditional privileges to be granted without exposing the entire system.
Key Characteristics
Granularity — operates at highly specific levels such as rows, columns, or even individual cells within a database table. Precision — allows organisations to specify exactly what data a user can access, modify, or delete. Dynamic access control — access permissions can change based on conditions or events, such as access granted only during certain time periods. Data masking — sensitive data can be partially obscured when accessed by users who don't have full permission. Audit and monitoring — organisations can track who accessed what data and when, essential for security and compliance.
How Colrows Implements Dynamic Access Control
Colrows offers a dynamic and scalable solution for implementing fine-grained access control. Entitlement policies enable organisations to grant access to specific users, roles, and groups at both column and row levels based on data attributes. Cluster-based control applies access controls within clusters, ensuring consistent security across data from various sources.
Colrows can seamlessly integrate with external policy engines like OPA (Open Policy Agent) to leverage user entitlements from external sources. Its query parser implements fine-grained access control at row and column levels, taking into account user entitlements and data sensitivity. Colrows extends access control to a variety of data sources — including MySQL databases and materialised views in PostgreSQL — and operates as a service with an API-based architecture, making it well-suited for microservices environments.
Fine-grained access control is pivotal for organisations that seek precise data management, robust security, and compliance adherence. This approach provides a dynamic and adaptable means of controlling data access, marrying the strengths of both role-based and attribute-based access control.
As data continues to play a central role in business operations, fine-grained access control emerges as a cornerstone of modern data governance strategies.
Published on Colrows Insights · Nov 19, 2023 · insights@colrows.com · colrows.com