Which statement accurately contrasts RBAC and ABAC, and when is ABAC especially useful?

• A. RBAC grants by role; ABAC grants by attributes (user, resource, environment). ABAC is useful for fine-grained, dynamic access control.
• B. RBAC uses attributes; ABAC uses roles; ABAC is never useful in dynamic environments.
• C. RBAC is for data encryption; ABAC is for network routing; ABAC is useful for static policies.
• D. RBAC and ABAC are identical in function; ABAC is more efficient.

Answer: (A)

Think of access decisions as driven by either roles or attributes. In RBAC, permissions live with roles and users gain those permissions by belonging to a role. In ABAC, decisions are made by evaluating a set of attributes—who the user is (user attributes), what the resource is (resource attributes), and the current context (environment attributes)—against defined policies.

This difference explains why ABAC is especially useful: it supports fine-grained control and adapts to changing contexts. Because decisions consider multiple attributes and rules, you can grant or restrict access in nuanced ways that go beyond fixed role membership, making it well-suited for dynamic environments where factors like time, location, or data sensitivity matter.

The other options misstate how RBAC and ABAC work or claim incorrect things about their usefulness or scope—RBAC isn’t attribute-based, ABAC can be valuable in dynamic contexts, they aren’t about encryption or routing, and they aren’t identical in function.