Permission Models Explained — RBAC, ABAC, and ReBAC | Identity Expert

This video describes security mechanisms as defined in published standards. It is not a substitute for a professional security review of your own implementation. RBAC, ABAC, and ReBAC are the three dominant access control frameworks for answering the authorization question: given an authenticated identity, what are they allowed to do? Role-Based Access Control (RBAC) maps identities to roles, and roles to permissions. Defined formally in ANSI INCITS 359-2004 and referenced in NIST SP 800-207, RBAC is the default model in most enterprise IAM systems — it scales well for coarse-grained access decisions where user populations share consistent permission sets. Attribute-Based Access Control (ABAC) evaluates policies against attributes of the subject, resource, action, and environment at request time. XACML 3.0 is the canonical policy language for ABAC. ABAC enables fine-grained, context-aware decisions such as time-of-day restrictions, geographic constraints, or data classification checks. Relationship-Based Access Control (ReBAC) derives permissions from the relationship graph between subjects and objects — popularised by Google Zanzibar (2019). ReBAC is the basis of modern fine-grained authorisation products including OpenFGA, SpiceDB, and Ory Keto. Real systems compose all three: RBAC for coarse-grained access, ABAC or ReBAC for fine-grained decisions. Sources: NIST SP 800-207, ANSI INCITS 359-2004, OASIS XACML 3.0, Google Zanzibar (2019). --- Sources cited above are IETF RFCs, OIDF specifications, or W3C/OASIS standards — all freely reproducible for educational use. For educational purposes only. Specs evolve — always check the latest version of the standard. #RBAC #ABAC #Authorization #AccessControl #identityexpert