Fine-grained Access Control (FGAC)
What is the difference between coarse-grained and fine-grained access control?
Fine-grained access control is the ability to grant or deny access to critical assets, such as resources and data, based on multiple conditions and/or multiple entitlements to a single data resource. Coarse-grained access control, on the other hand, is the ability to grant or deny access to resources based on a single factor, i.e. role, or entitlement.
Fine-grained authorization is synonymous with Attribute-based Access Control (ABAC) or Policy-based Access Control (PBAC), whereas coarse-grained access control is synonymous with Role-based Access Control (RBAC).
Why is fine-grained access control important?
Fine-grained access control is important because it changes the rules of static authorization and enables secure sharing of many more sensitive information assets. However, this does require an effective and proven fine-grained authorizatio tool such as Axiomatics dynamic data masking solution. This can be best explained through an example.
Imagine an archive where entries about clients are maintained. Most of the actual body text should be shared with staff members across different job functions. However, sensitive meta data about individual clients cannot be viewed by users who do not have the required authorization.
Unless the authorization system is fine-grained enough to filter out these details, all of the entries will have to remain undisclosed to protect the integrity of the data. Without the ability to filter out sensitive details or entire entries based on fine-grained conditions, the information will not be made available for sharing. If permissions can only be set on a directory level, the entire directory would remain off-limits even if it only contains one of several hundred documents for which a user lacks authorization.
How does fine-grained authorization enable secure information sharing?
Fine-grained authorization allows rich business rules and authorization policies to be enforced. Policy writers can create complex rules and policies that contain multiple conditions relating to time, location, role, action, and more, and these will be enforced. Rich, fine-grained controls can also be applied within a single resource.
Let’s look at a typical example of fine-grained access control of a business rule. This could be at any of our insurance company clients as it concerns assets stored in tables:
- Claims Adjusters A may view the name, social security number and salary of contract holders when reviewing loss of salary compensation claims, from a company computer. However, for financial privacy reasons, invoiced fees must not be disclosed.
- Claims Adjusters B who are reviewing invoiced fees should not see salary information or Social security numbers of contract holders.
- Adjusters C should only see general information about contract holders assigned to their department, an agent or contractors of the department unless an explicit case assignment has been made.
These complex business rules require fine-grained access controls, as they involve large data sets in tables with many columns, and row and cell-level security. Even if the data resource is coarse-grained, the rules that must be applied can be fine-grained.
Coarse-grained vs fine-grained access controls
Choosing when to use coarse-grained and when to use fine-grained authorization is similar to deciding when to use RBAC or ABAC. However, RBAC and fine-grained access control can be combined when roles are the only condition applied to access, but the shared resources needs to be masked, as in the above example from an insurance company.
Choose coarse-grained access control when:
- The number of roles in an organization are manageable for governing secure access to and sharing of sensitive information
- When there are no limitations regarding which data in a resource, a permitted user or machine can view/access
Choose fine-grained access control when:
- Sharing sensitive innformation assets in a highly regulated industry
- Sharing sensitive information across geographical borders that could impact export controls
- Data security restrictions are slowing down collaboration, business and innovation
- The number of roles in an organization are unmanageable for governing secure access to and sharing of sensitive data
- There are limitations regarding which information in a resource, a permitted user or machine can view/access
Connecting fine-grained authorization to API gateways
APIs are central to many enterprises’ customer-facing initiatives. API security is therefore paramount, even though it can often be pushed down the priority list. Adding a layer of fine-grained access control to API Gateways could be the answer as it is externalized – and steered centrally from a business policy server instead. With less time worrying about security, more time can be spent on developing customer-centric APIs.
Our solutions are used to authorize data in many API gateways including:
- Amazon API Gateway
- CA API Gateway
- IBM Data Power
- Oracle API Gateway