Fine-grained access control is the ability to grant or deny access to critical assets, such as resources and data, based on multiple conditions and/or multiple entitlements to a single data resource. Coarse-grained access control, on the other hand, is the ability to grant or deny access to resources based on a single factor, i.e. role, or entitlement.
Fine-grained authorization is synonymous with Attribute Based Access Control (ABAC) or Policy Based Access Control (PBAC), whereas coarse-grained access control is synonymous with Role based Access Control (RBAC).Our platform
Fine-grained access control is important because it changes the rules of static authorization and enables secure sharing of many more sensitive information assets. However, this does require an effective and proven fine-grained authorizatio tool such as Axiomatics dynamic data masking solution. This can be best explained through an example.
Imagine an archive where entries about clients are maintained. Most of the actual body text should be shared with staff members across different job functions. However, sensitive meta data about individual clients cannot be viewed by users who do not have the required authorization.
Unless the authorization system is fine-grained enough to filter out these details, all of the entries will have to remain undisclosed to protect the integrity of the data. Without the ability to filter out sensitive details or entire entries based on fine-grained conditions, the information will not be made available for sharing. If permissions can only be set on a directory level, the entire directory would remain off-limits even if it only contains one of several hundred documents for which a user lacks authorization.
Fine-grained authorization allows rich business rules and authorization policies to be enforced. Policy writers can create complex rules and policies that contain multiple conditions relating to time, location, role, action, and more, and these will be enforced. Rich, fine-grained controls can also be applied within a single resource.
Let’s look at a typical example of fine-grained access control of a business rule. This could be at any of our insurance company clients as it concerns assets stored in tables:
These complex business rules require fine-grained access controls, as they involve large data sets in tables with many columns, and row and cell-level security. Even if the data resource is coarse-grained, the rules that must be applied can be fine-grained.Learn more
Choosing when to use coarse-grained and when to use fine-grained authorization is similar to deciding when to use RBAC or ABAC. However, RBAC and fine-grained access control can be combined when roles are the only condition applied to access, but the shared resources needs to be masked, as in the above example from an insurance company.
APIs are central to many enterprises’ customer-facing initiatives. API security is therefore paramount, even though it can often be pushed down the priority list. Adding a layer of fine-grained access control to API Gateways could be the answer as it is externalized – and steered centrally from a business policy server instead. With less time worrying about security, more time can be spent on developing customer-centric APIs.
Our solutions are used to authorize data in many API gateways including:
See how Axiomatics enables you to balance the demands of your security team and your business users with the authorization solution that our customers love.
In the meantime, check out this example demo...Book a full demo