Powering up access control: Barco CTRL adds Attribute Based Access Control (ABAC)

Presenting the right information to the right person at the right time. That is, in short, the essential function of a control room platform like Barco CTRL. The ‘right person’ part is quite interesting, as this is doesn’t always follow a straight hierarchy. The traditional Role-Based Access Control (RBAC) system often fails to answer the organization’s needs. That is why Barco CTRL now introduces the more advanced Attribute Based Access Control (ABAC) system.

With Barco CTRL, we are in the enviable position of building something new whilst benefiting from decades of experience in the industry. This allows us to incorporate the latest insights and technologies into a system tailored to the market's needs. Furthermore, we looked at upcoming security trends and improvements into the broader IT industry, that we could bring into the converged AV/IT world. 

One of those improvements we have built into Barco CTRL is Attribute Based Access Control (ABAC), on top of the legacy Role Based Access Control (RBAC). We will explain the two concepts before we explain why ABAC is so much more powerful than RBAC.

Role Based Access Control is often hierarchical in nature but should be the result of studying what permissions are needed to achieve your job. Many companies will have experience with Active Directory or something very similar to deploy these rights.

Ideally, users are put into groups that somehow match the organizational structure and their job roles. Then, their group is assigned various permissions to access company assets, allowing them to perform their jobs. This sounds like a very logical way of working, but it has its limitations (and dangers).

Often, the permissions assigned to the ‘role group’ are based on consensus. Which means that some ‘special cases’ need some extra permissions. This could be a Subject Matter Expert (SME) in an area, who tests things before they are deployed to the rest of the team, someone with dedicated geographic responsibilities, or one person working part-time in two roles. The danger is that, when they change roles, they take these special permissions with them. Over time, they can build up a lot of special permissions (a phenomenon known as ‘Permissions Creep’). These edge cases build up throughout an organization, and it is inherently hard to assess their impact.

Attribute Based Access Control, on the other hand, allows to manage the special cases in a structured way, by tailoring permissions using more data points. The groups used in RBAC can still be used in ABAC, but are checked along with other data points before a user gains access. This is more similar to a Venn Diagram than an organizational chart. 

Other data points could be both the source’s location and the user's location at the time. This means you can give rights depending on the situation, not just the role.

For example, the same user can get wider rights on a test setup vs the operational setup. Or, he/she might have editing rights in the control room but only viewing rights in a crisis room.

This level of fine-grain control and flexibility allows a more secure, dynamic and personalized approach to permission management. ‘Permissions Creep’ is avoided by the stringent way of attributing rights, allowing a more structured approach than the use of personalized exceptions. ABAC thus allows Barco CTRL to meticulously tailor the correct rights to the people who need them, depending on the situation.