Managing access control via Active Directory can be a perilous process for any IT administrator. It\u2019s too easy to fall behind in user lifecycle management or mistakenly overprovision users, which is a caveat anyone who\u2019s used nested groups understands. This legacy approach doesn\u2019t make user-based determinations and demands administrative overhead. <\/p>\n\n\n\n
Attribute-based access control (ABAC), however, works differently: it provides an instant cross-check of users within a group to the apps and resources they need. ABAC is, by nature, a better match for today\u2019s threat environment than legacy directory access controls, which is beneficial in an era when Zero Trust principles demand greater diligence. Nested groups had their time and place, but are no longer necessary (or even desirable) if your organization is living in a SaaS-based environment.<\/p>\n\n\n\n
ABAC is a method of granting and managing user access to IT resources to support environments that require more contextual awareness than simple user-centric parameters such as their assigned role. Used by cloud providers and identity and access management (IAM) solutions, ABAC is being used all around us to bring order to IAM chaos, which can include:<\/p>\n\n\n\n
Older access control methods such as role-based access control (RBAC) would only consider if an employee has the corresponding rights within a given system to access it. Active Directory (and even Azure Active Directory) maintains a similar posture as traditional RBAC, where group membership determines access rights. What\u2019s more, groups can be nested within groups, which without management can violate Zero Trust principles when trust is intrinsic within the access control model itself.<\/p>\n\n\n\n
That\u2019s a stark contrast with ABAC, which would essentially provide a \u201cfirewall\u201d of intelligent decision making to protect access to IT resources. It applies an \u201cif\/then\u201d logic that determines the risk that\u2019s presented by a user at a given time. For example, it could prevent access to an application deemed \u201chigh value\u201d by an employee who is authorized to access it but<\/em> is away on vacation and using unsecured public Wi-Fi at a coffee shop to do so.<\/p>\n\n\n\n
The ability to apply these conditions to group membership drives IT efficiency and delivers more proactive security controls.<\/p>\n\n\n\n
In general, ABAC applies business logic to group members<\/a> by using attributes as conditions<\/em> of group membership, which creates distinct advantages over legacy group management approaches. While the ABAC model typically performs dynamic mapping, JumpCloud\u00ae<\/sup> instead applies logic by suggesting appropriate membership to user groups, which admins ultimately have control over. Learn more in this access control case study<\/a>.<\/p>\n\n\n\n
You can think of JumpCloud\u2019s group management<\/a> as something that defines conditions for membership and assists admins in governing access within and downstream of JumpCloud. Updates are suggested to be made live in production based upon attributes such as \u201cdepartment,\u201d \u201ctitle,\u201d or any number of custom attributes, depending upon the application you\u2019re managing access to. User attributes, such as a manager, populate the \u201cif,\u201d but conditional access attributes, such as geolocation, determine what happens next.<\/p>\n\n\n\n
Conditional access policies, which use parameters like device, network, and even geolocation to guard access to IT resources, add additional security provisions on top of ABAC, which benefit from the group maintenance our suggestions provide. ABAC works in tandem with conditional access so that attributes \u201cdecorate\u201d users and distinctly map them to the appropriate group memberships to make suggestions for group management. <\/p>\n\n\n\n
JumpCloud also provides a method to audit access that has business rules and policy-driven decision making baked in. For example, when a user is determined to be in violation of a condition of group membership, their membership is updated to reflect that new rule (or whether an exception was made). Auditing and compliance weren\u2019t the primary motivation behind how we designed group management, but the platform makes performing an audit much easier due to its Zero Trust architecture.<\/p>\n\n\n\n
Groups are consistently looking at the user\u2019s attributes to determine who should have access to a resource and remain a member. SCIM provisioning has made it even easier to synchronize and manage identities for web apps to automate account creation and deletions for a more complete approach to user lifecycle management.<\/p>\n\n\n\n
This short tutorial video describes how JumpCloud does this: <\/p>\n\n\n\n