RBAC like it was meant to be

Role-based access control (RBAC) and its successor, attribute-based access control (ABAC), are powerful security models that have been underutilized in modern implementations, as they often strip down the original concepts to weaker forms. The article traces the evolution of access control from Discretionary Access Control (DAC) to Mandatory Access Control (MAC), highlighting the strengths and limitations of each. While DAC allows users to grant permissions on their owned objects, MAC imposes stricter rules set by administrators, making it challenging to implement effectively. RBAC, a subset of MAC, simplifies access management by assigning users to roles that determine access levels, whereas ABAC refines this by considering additional user attributes. The discussion expands to cover the inadequacies of filesystem ACLs in implementing true RBAC due to their complexity and maintenance challenges. By introducing object tags and a more centralized management approach, the article outlines a more robust framework for managing permissions, emphasizing the separation of responsibilities among various system roles such as HR, security teams, and object owners. This refined model, as implemented by Tailscale, offers a clean and efficient design that facilitates the management of access permissions across network systems, demonstrating that a well-structured RBAC/ABAC model is both feasible and advantageous when implemented from the core of a system.