Too many roles with RBAC. Alternatives?

Question

To represent the fact that role X can do Y on resource Z, I create a role called "role-Y:Z". The problem is, the number of "resource"s here is ever increasing, and so are the roles.

For every resource that I create, I end up creating 4 roles.

Problem is, RBAC is too coarse-grained for my usecase.

Am I implementing RBAC the wrong way? Any idea how to avoid this role explosion? Maybe I should not use RBAC at all?

score 2 · Accepted Answer · answered Feb 19 '22 at 21:40

2

Maybe I should not use RBAC at all?

You need ReBAC (Relationship Based Access Control) :)

ReBAC solutions such as those based on Google's Zanzibar paper are a good solution for your need of fine-grained permissions.

Some of the companies offering Fine Grained Authorization include:

Auth0 Fine Grained Authorization (FGA) - SaaS
Authzed - SaaS and OSS offering
Ory Keto - OSS offering

answered Feb 19 '22 at 21:40

Maria Ines Parnisari

16,584
9
85
130

1

Thanks! solves the issue perfectly! – D.B.K Jun 29 '22 at 18:48

Too many roles with RBAC. Alternatives?

1 Answers1

Linked