Skip to main content

Why ABAC?

Samhitha Rama PrasadFebruary 5, 2025About 2 minNode.jsReact.jsArticle(s)blogfreecodecamp.orgnodenodejsnode-jsreactreactjsreact-js

Why ABAC? 관련

How to Build Scalable Access Control for Your Web App [Full Handbook]
Access control is crucial for preventing unauthorized access and ensuring that only the right people can access sensitive data in your application. As your app grows in complexity, so does the challenge of enforcing permissions in a clean and efficie...
How to Build Scalable Access Control for Your Web App [Full Handbook]
Access control is crucial for preventing unauthorized access and ensuring that only the right people can access sensitive data in your application. As your app grows in complexity, so does the challenge of enforcing permissions in a clean and efficie...

RBAC provides several benefits, including ease of implementation, reduced administrative overhead by enabling quick onboarding of new users, and simplified auditing, as it makes it easy to review which roles have access to sensitive data.

But, as the platform grows, you introduce more nuanced requirements for access control. These new requirements lead to the creation of new roles to meet specific access needs:

  1. Publisher: Can view, edit, approve, publish, and delete posts across all categories, but cannot manage user roles or settings.
  2. Junior Author: Can create and edit their own posts within assigned categories.
  3. Senior Author: Can create and edit their own posts in any category.
  4. User (Subscriber): Can view and comment on private posts in addition to public posts.
  5. Premium Subscriber: Has all the permissions of a regular subscriber and access to exclusive posts.

Before long, you may find yourself managing an ever-growing list of roles such as Senior Publisher, Publishing Supervisor, Guest User, Subscriber, Premium Subscriber, Graphic Designer, UX Designer, Photographer, Social Media Manager, US Marketing Specialist, UK Marketing Specialist, Web Developer, Data Analyst, Membership Manager, Ad Manager, Legal Advisor, and Sponsor Manager.

Introducing additional requirements—such as blog category, seniority, and jurisdiction—can quickly lead to role explosion. Just imagine how this would scale in data-intensive enterprise applications like finance or healthcare.

While scopes work well when boundaries are clear and static (for example, department, blog types), they require custom checks for more granular attributes such as seniority, length of service, blog creation time, or publication status. Scopes also struggle to account for attributes that change over time, like the location or timing of access.

Because RBAC relies on roles and fixed scopes to make access decisions, it becomes limited in handling complex and dynamic access needs. That is why, OWASP (Open Worldwide Application Security Project) recommends using ABAC or ReBAC over RBAC, as they are more effective in implementing the principle of least privilege.

MIT Licensed | Copyright © 2022-present Chan Hee Lee
Copyright © 2025 Samhitha Rama Prasad