Explain RBAC vs ABAC.

RBAC (Role-Based Access Control)* ties permissions to user roles, while ABAC (Attribute-Based Access Control) uses user, resource, and environment attributes to determine access decisions.

When to Use

• Use RBAC when roles are stable (e.g., developer, admin) in databases or systems.
• Use ABAC when policies depend on context (e.g., access allowed only during business hours or from specific regions).
• Many enterprises combine both for balance.

Example

In a company database, a “DB Admin” role (RBAC) grants schema modification rights.

ABAC adds conditions like “only from the corporate network.”

Want to build deep design intuition?

Explore:

• Grokking System Design Fundamentals
• Grokking the System Design Interview
• Grokking Database Fundamentals for Tech Interviews or Mock Interviews with ex-FAANG engineers

Why Is It Important

Choosing the right model enforces least privilege, prevents data leaks, and supports compliance in modern systems.

Interview Tips

• Define RBAC vs ABAC simply.
• Provide a real-world example.
• Discuss when to choose one over the other.
• Mention hybrid adoption.

Trade-offs

• RBAC: Easier to implement, but suffers from role explosion.
• ABAC: Flexible and granular, but requires complex policies and more compute.

Pitfalls

• Mixing up authentication with authorization.
• Overloading RBAC with too many roles.
• Ignoring ABAC’s performance overhead.