Identity and Access Management: RBAC, ABAC, and Federation

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read

IAM determines who can access what in your organization. Get it wrong and you have either users who cannot do their jobs or excessive access that becomes your next breach vector. Effective IAM balances security with usability across identity lifecycle, authorization models, and federation.

Authorization Models

RBAC (Role-Based Access Control) assigns permissions to roles, then assigns roles to users. An “Editor” role gets read and write permissions on content. A “Viewer” role gets read-only. Users inherit permissions through their assigned roles.

RBAC works well when your organization has clear job functions that map to permission sets. It breaks down when you need fine-grained, context-dependent decisions. Role explosion — creating hundreds of specialized roles to handle edge cases — is a sign that RBAC alone is not sufficient.

ABAC (Attribute-Based Access Control) makes authorization decisions based on attributes of the user, resource, action, and environment. A policy might say: users in the engineering department can access production logs during business hours from corporate network IPs.

ABAC is more flexible than RBAC but harder to audit and reason about. Policies can interact in unexpected ways. Use ABAC when you need context-sensitive decisions that RBAC cannot express.

ReBAC (Relationship-Based Access Control) defines access through entity relationships. Google Zanzibar popularized this model. A user can edit a document because they are a member of a group that owns the folder containing the document. Tools like SpiceDB and OpenFGA implement this pattern.

In practice, most organizations use a hybrid: RBAC for broad access categories with ABAC or ReBAC for fine-grained resource-level decisions.

Federation

Federation allows users to authenticate once and access resources across organizational boundaries. SAML 2.0 and OIDC are the two dominant protocols.

SAML is XML-based, primarily used for enterprise SSO to web applications. The Identity Provider (IdP) issues signed assertions that Service Providers (SPs) consume. SAML is mature and widely supported, but verbose and difficult to implement correctly. Common vulnerabilities include XML signature wrapping attacks and assertion replay.

OIDC (covered separately) is simpler, JSON-based, and better suited for modern APIs and mobile applications.

For B2B SaaS, federation means your customers authenticate through their own IdP. Support SAML and OIDC. Use a library like Auth0, Okta, or WorkOS rather than implementing the protocols from scratch — the edge cases in SAML parsing alone justify the cost.

Identity Lifecycle Management

The identity lifecycle covers provisioning, modification, and deprovisioning. Each phase has security implications:

Provisioning: Automate account creation through HR system integration (Workday, BambooHR). Manual provisioning leads to inconsistent access and forgotten accounts. Use SCIM (System for Cross-domain Identity Management) to automate user provisioning and deprovisioning across SaaS applications.

Access reviews: Conduct quarterly reviews of user access. Managers certify that their team members still need their current permissions. Automate the collection and track completion. Focus reviews on privileged access and cross-departmental access.

Deprovisioning: Terminate access immediately when an employee leaves. Automate this through HR system integration. Audit for orphaned accounts — accounts that exist after the associated user has left. These are common targets for insider threats and former-employee attacks.

Privileged Access Management

Privileged accounts — domain admins, root, database admins — require additional controls. Implement just-in-time access: engineers request elevated access, it is approved, granted for a limited window, and automatically revoked.

Record privileged sessions for forensic purposes. Use a PAM solution like CyberArk, HashiCorp Boundary, or Teleport to broker access rather than distributing credentials directly.

Related Career Paths

IAM expertise maps to IAM Specialist and Security Engineer career paths. These roles design, implement, and maintain the identity infrastructure that organizations rely on.

Next Steps

• Assess your IAM knowledge with the skills assessment
• Browse the skills library for identity, authentication, and authorization topics
• Use the coaching tool to plan your IAM specialization path

Related Guides in This Series

• Agile Security: Embedding Security in Sprints and Development Cycles — HADESS | 2026
• AI/ML Security: Adversarial Attacks, Model Poisoning, and Prompt Injection — HADESS | 2026
• Compliance Management: SOC 2, ISO 27001, PCI DSS, and HIPAA — HADESS | 2026

Take the Next Step

Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.

See your certification roadmap. Check out the see your certification roadmap.

Get started free — Create your HADESS account and access all career tools.

Frequently Asked Questions

How long does it take to learn this skill?

Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.

Do I need certifications for this skill?

Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.

What career paths use this skill?

Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.

—

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.