Resource based access

Resource-Based Access Control (ReBAC) is an access control model that manages permissions based on relationships between users and resources. Unlike traditional models such as Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC), which focus primarily on user roles and attributes, ReBAC determines access based on how users and resources are connected within a system. This model is particularly useful in collaborative environments, content-sharing platforms, and complex enterprise applications where access needs to be dynamically assigned based on relationships rather than predefined roles or attributes.

Why Use Resource-Based Access Control?

1. Fine-Grained Access Control

ReBAC allows for highly granular access permissions by defining specific relationships between users and resources. Instead of granting broad access through roles, permissions are granted based on direct associations. For example, a document-sharing application may allow only the document owner and explicitly shared collaborators to access a file, ensuring tight security and precise access control.

2. Dynamic and Scalable Permissions

Unlike RBAC, which requires predefined roles, ReBAC enables access to be granted dynamically as relationships between users and resources change. This makes it an ideal solution for applications where permissions need to evolve in real-time, such as social networks, project management tools, and multi-tenant SaaS platforms.

3. Improved Security Through Relationship-Based Policies

ReBAC enforces security policies based on the actual relationships between entities, reducing the risk of excessive permissions. For example, in a corporate environment, an employee may only have access to resources they have directly created or have been assigned to, preventing unauthorized access to sensitive data.

4. Simplified Permission Management

Managing access through relationships reduces administrative overhead compared to traditional models that require frequent updates to roles and permissions. With ReBAC, permissions are assigned automatically based on predefined relationships, eliminating the need for manual intervention.

5. Enhanced Collaboration and Sharing

ReBAC is particularly useful in systems where resources need to be shared dynamically. For example, in a cloud-based document management system, users can grant access to specific individuals or teams without requiring IT intervention. This ensures seamless collaboration while maintaining strict access control.

6. Ideal for Hierarchical and Multi-Tenant Environments

ReBAC is well-suited for applications where hierarchical access structures are needed. For example, in an enterprise setting, managers can have access to the resources of their direct reports without requiring a global administrator role. Similarly, in multi-tenant applications, organizations can structure access control based on ownership, departments, or customer relationships.

ReBAC in Veriam

Veriam supports resource based access control by allowing resources to be configured with resource attributes as required. By creating specific filters and filter conditions geared towards these resources and resource attributes, all possible scenarios can be covered by using, or combining, resource based filters within a policy.