One of the most common methods of Identity and Access Management (IAM), or the use of parameters to determine who can and cannot access certain data, is role-based access control (RBAC). This approach defines specific user roles within a company, then specifies permissions for each individual role. But what if a company needs to go beyond these simple authorizations? Each time a new data platform, data source, or data set is added, access permissions must be defined for each role. In large, complex companies — or even small but growing companies — there may be dozens or even hundreds of roles to manage that are constantly expanding.
In the simplest possible terms, RBAC might look something like this:
- Includes Employee X, Employee Y, and Employee Z
- Has access to Folder 3, Folder 4, and Folder 5
- Includes Employee A, Employee B, and Employee C
- Has access to Folder 1, Folder 2, and Folder 3
You can see how quickly this could become extremely complex. That’s where fine-grained access control, a more elegant and granular way of controlling access to data and resources, becomes so powerful.
What is Fine-Grained Access Control?
Fine-grained access control is a method of controlling who can access certain data. Compared to generalized access control, also known as coarse-grained access control, fine-grained access control uses more nuanced and variable methods for allowing access.
Most often used in cloud computing where large numbers of data sources are stored together, fine-grained access control gives each item of data its own specified policy for access. These criteria can be based on a number of specific factors, including the role of the person requesting access and the intended action upon the data. For example, one individual may be given access to edit and make changes to a piece of data, while another might be given access only to read the data without making any changes.
Why is Fine-Grained Access Control Important?
In cloud computing, the ability to store large amounts of information together is a substantial competitive advantage. However, this data can vary in terms of type, source, and security level — particularly when taking into account regulations relating to customer data or financial information.
Coarse-grained access control may work when data types can be stored separately and access to specific data types can simply be assigned based storage location (e.g., Tim can access X folder, Natalie can access Y folder, etc.), as in on-premises environments. But when data is stored together in the cloud, fine-grained access control is essential as it allows data with different access requirements to ‘live’ in the same storage space without running into security or compliance issues.
How is Fine-Grained Access Control Used?
Here are some of the most common use cases for fine-grained access control:
Use Case 1: Multiple Data Sources Stored Together
In the cloud, large batches of diverse data types are stored in one place. You can’t simply grant wholesale access to these storage segments based on roles — there may be certain data types that can be accessed by a certain role and others that should not be. Fine-grained access control is therefore essential because it sets access parameters for specific data types, even when stored together.
Use Case 2: Varying Degrees of Access, Based on Roles
One of the most significant benefits of fine-grained access control is that it allows for varying degrees of access, rather than a pass/fail approach based on the user, their role, or the organization to which they belong. In coarse-grained systems, data may simply fall into one of two categories — permitted or forbidden — based on who is attempting to access it. But with fine-grained access control, there’s room for a bit more subtlety and variation.
For example, imagine three employees with different roles and levels of access. For a certain piece of data, you might set parameters so that one of the employees can access the file, make changes to it, and even move its location. The second employee may be allowed to see the file and move it but not access it. The third employee might only be given permission to read the file.
This level of specificity can help your company avoid the inconvenience and frustration that comes with someone needing to view data but being unable to because their permissions are fully restricted.
Use Case 3: Securing Mobile Access
More and more companies are offering support for accessing data remotely through mobile devices such as smartphones. Meanwhile, the standard workday is being extended as people work from home or at differing hours. With this in mind, companies may need to implement access controls that are based not just on role or identity but also on factors such as time or location.
Fine-grained access control allows for this. For example, you may be able to limit access permissions to a specific location so that employees can’t access it from third-party wireless servers that could be exposed to breaches.
Use Case 4: Third-Party Access
In many cases, a B2B business may want to give a third-party access to some of its assets stored in the cloud, without risking accidental changes to data or compromised security. Fine-grained access control can allow these companies to grant third-parties read-only access, keeping their data properly secured.
What are the Elements of Fine-Grained Access Control?
There are generally considered to be three primary forms of access control solutions:
Role-based solutions are considered coarse-grained because they organize users into ‘roles’ and grant or deny access rights based only on these roles, while ignoring other factors. This means they may be overly broad or restrictive and not able to scale efficiently. In fact, an independent study found that Ranger’s RBAC approach required 75x more policy changes than Immuta’s attribute-based method.
When it comes to fine-grained access control, the two primary approaches are attribute-based access control or purpose-based access control.
Attribute-Based Access Control
This form of access control assigns ‘attributes’ to specific users and data, then determines access based on those attributes. These attributes could include a user’s position or role, but may also include their location, the time of day, and other factors. Data attributes might include the type of data, creation date, or storage location, among others.
Purpose-Based Access Control
The most flexible form of access control authorization, purpose-based access control combines a range of roles and attributes using logical connections that are flexible and evolving. It is considered a fine-grained access control solution because it uses multiple attributes to determine whether data can or cannot be accessed, and to what extent.
Choosing a Data Access Control Tool
Looking for a data access control tool that will provide fine-grained access control and much more? Immuta enables self-service data access with automated, attribute- and purpose-based controls that are dynamically applied at query time. These data access controls are complemented by a suite of other features that enhance data access control and universal cloud compatibility and security, including:
- Sensitive Data Discovery and Classification
- Dynamic Data Masking
- Data Policy Enforcement and Auditing
With Immuta’s fine-grained, dynamic access control capabilities, data engineering and operations teams have decreased their number of roles by 100x and reduced self-service data access from months to mere seconds.
Ready to learn more? Request an Immuta demo today.