Listening to an episode of the Open Source Data podcast with Dave Thomas of Deloitte, Dave mentioned that role-based access control, or RBAC, doesn’t scale well when talking about data mesh.
We have heard this a few times in the community, especially when transitioning towards data mesh, roles are being redefined and a data engineer inside a domain may have significantly more need for data access than someone outside the domain. So RBAC has pretty major limitations.
Dave specifically mentioned attribute-based access control, or ABAC, as being a better fit for data mesh. At its core, ABAC does feel like a better fit because roles can quickly change, especially as companies transition towards a data mesh; e.g. a data engineer embedded in a domain may warrant significantly more access to it’s data products than a data engineer that is still part of the central organization. Do companies need a roster of 100s of different roles and sub-roles to use RBAC?
When ABAC was brought up in the data mesh community, purpose-based access control, or PBAC (h/t to Kris Peeters for mentioning) was also mentioned as a potentially better fit. While we don’t love promoting them/their work, Palantir did a good post on what PBAC could look like here.
As stated above, no answers, only questions 🤣 So what is the best approach for data mesh? We haven’t really seen anyone touting one over the other yet but we hope this post is helpful in setting up the discussion. Feel free to let us know your thoughts in the Slack thread here.
If you feel especially strongly, we are doing office hours and meetups around specific concepts as well. Feel free to get in touch via email or setting up a chat here.