RSS

World Cup of Access Control: ACL vs. RBAC vs. Capability vs. ABAC

idm_guru1 pts0 comments

World Cup of Access Control: ACL v. RBAC v. Capability v. ABAC | by Mike Schwartz | Jun, 2026 | MediumSitemapOpen in appSign up<br>Sign in

Medium Logo

Get app<br>Write

Search

Sign up<br>Sign in

World Cup of Access Control: ACL v. RBAC v. Capability v. ABAC

Mike Schwartz

2 min read·<br>Just now

Listen

Share

Press enter or click to view image in full size

World Cup of Access Control ModelsAuthorization requests generally align with the PARC model: Principal, Action, Resource, Context. Access control models use these request inputs differently. The question GovOps seeks to answer is: “Which approach is the best for measuring risk?”<br>Resource-based access control , especially ACLs, starts with the resource. ACLs can tell us when access is allowed to a resource. But ACLs are hard to correlate to risk when the action is unclear. So many ACL’s include the action in the metadata of the ACL itself by combining them into the policy. For example, think of Unix file permissions or database or LDAP access control (remember the Sun Directory Server aci attribute…). Without the action, the risk signal is incomplete.<br>Attribute-based access control adds context: Context is essential for runtime decisions, but context alone is not a governance unit. The possible variables and combinations are effectively infinite.<br>Principal-based access control starts with identity: user, group, role, service account, workload, or agent. It’s an obvious approach. What are the humans allowed to do? Or what are the agents allowed to do? But identity alone does not correlate directly to risk. To calculate risk, we need to map people to entitlements.<br>Capability-based access control focuses on the compound key of Action + Resource. This correlates roughly to “entitlement”, and is the clearest unit of governance to measure risk. Capability is more active — it’s something you can do; entitlement is something you’re permitted to do. It’s a subtle nuance, but capability removes a layer of abstraction. Capabilities can be inventoried, classified, assigned owners, mapped to controls, monitored, and measured. If you want to measure access risk, capability is the right unit.<br>PARC shows that identity, action, resource, and context all matter. But if the goal is to measure and govern access risk, the center of gravity should be capability: Action + Resource.

Written by Mike Schwartz

457 followers<br>·560 following

Founder of Gluu and host the “Identerati Office Hours” Livestream twice a week! Mike resides in Austin TX with family and pigeons.

Help

Status

About

Careers

Press

Blog

Store

Privacy

Rules

Terms

Text to speech

access control capability risk action resource

Related Articles

(no title)

Risse50 ptstitle

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

The labor share of income in the US is at its lowest post-war level

loughnane15 ptsfinancial labor share york securities central
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.