Skip to content

WA4. RBAC vs LBAC

Statement

In unit four, we are introduced to database systems. For your written assignment: Using web-based sources discuss role-based access controls (RBAC) and how they compare to other types of controls such as label-based access controls (LBAC). Your response must be complete and in your own words with a conclusion and title page.

Answer

Databases hold the history of organizations and their users; therefore, it is important to protect these data from falling in the wrong hands. Access controls play an important role in deciding which users have access to which data and which operations are they allowed to perform. The two major Access control models are Role-based access control (RBAC) and Label-based access control (LBAC); this text is going to discuss each model and how they compare to each other.

Role-based access control (RBAC)

  • A database role is an object that groups together one or more privileges or database authorities. It can be assigned to users, groups, PUBLIC, or other roles by a GRANT statement. For example, we can define a developer role and allow this role to insert, update and delete data on a set of tables (Sharma et al, 2010).
  • Database privileges are authorities assigned to a user, role, or group of users.
  • Authorities are defined as objects within the database configuration files (metadata) that map capabilities to their corresponding privileges.
  • In a role-based access control model, users get access to database objects depending on the roles assigned to them, for example, a user with an analytics role in the marketing department can only read data from tables that belong to the marketing department.
  • This is a common way of grouping users and assigning privileges to them; that is, all users with the same role have the same access capabilities.
  • It is also flexible since a user can have multiple roles; that is, the user can have all the privileges of all the roles assigned to him.
  • RBAC model removed the need to assign privileges to individual users, which is a tedious task and prone to errors.
  • Removing a user’s access to specific data is also easier since we can just remove the user from the role that has access to that data.

Label-based access control (LBAC)

  • LBAC works as opposed to RBAC; where permissions are assigned to the data instead of the users.
  • The security administrator defines Policies that contain labels that specify which users, roles, or groups are allowed to access the data.
  • Labels are assigned to data at the column level, row level, or table level.
  • Nothing is needed on the user level, but the user must meet the requirements of the policy when accessing the data.
  • LBAC is more complex than RBAC since it requires more effort to define policies and assign labels to data.
  • LBAC adds an extra layer of security around the more sensitive data;

Conclusion

As we saw, both RBAC and LBAC are widely used, and the decision of which is better depends on the organization’s needs. RBAC is more flexible and easier to implement, but LBAC is more secure and provides more granular control over data.
Usually, a combination of both is used; to ensure the security of the data but that comes at the cost of complexity and performance; since the database has to check the user roles first and then check the policies on the data level and whether the user meets the requirements of the policy.

References