Interview › Security & DevSecOps
What is RBAC versus ABAC? [Advanced]
Answer
RBAC grants permissions based on roles assigned to users or service accounts. ABAC grants permissions based on attributes such as user department, resource classification, environment, request context, time, or device posture. RBAC is simpler; ABAC is more dynamic and context-aware.
Technical explanation
RBAC works well for stable job functions such as developer, viewer, deployer, or admin.
ABAC is useful when access depends on attributes such as data sensitivity, project ownership, or request source.
Many real systems combine both: role-based entitlements plus attribute conditions.
Hands-on example
Example: RBAC gives the payments-team-deployer role permission to deploy to the payments namespace. ABAC adds a condition that production deploy is allowed only from a protected branch, through approved CI, during a change window, and by the owning team.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]