Combine RBAC with ABAC

RBAC is Role Based Access Control, ABAC is Attribute Based Access Control.


  • A user or group can be assigned a role at design time. The user’s role is contained in the JWT token (when using OAuth2).
  • It’s good to make a separation between roles and access rights. Think of Azure AD. A role is composed of specific access rights at the resource level. Let’s say you are a uiltat the Resource Group level, then you also have the right to read or write messages to a servicebus queue within that resource group.
  • We can distinguish among built-in roles and user-defined roles. The asset owners can determine what specific access rights are assigned to a role. As a best practice, roles and access rights are separate responsibilities.
  • ABAC attributes should be retrieved and checked at run-time, when possible at the service level. They are not set up-front in a JWT token, when authentication takes place.
  • ABAC is used for fine-grained authorization. For instance, you can only access a lawsuit when you as a judge or a lawyer work on that case. Privacy regulations prevent you from accessing any other lawsuits. ABAC checks contextual information at the data level. You can also check on device type, time or location and implement conditional access.

The two pictures below contain some Dutch text, but are nevertheless very useful for contemplation on the subject: