Feature: Relationship-based Access Control (ReBAC)

The Scaled Access Relationship-based Access Control (ReBAC) feature allows the customer to set up a system of delegated administration with which users can self-manage their relationships to digital assets.

About ReBAC

Relationships are the basic unit that link users and assets into a network. This network can be represented in a graph as a collection of “nodes” and “edges”. Each node is a digital representation of one user or asset and each edge represents a relationship between the two adjacent nodes. These relationships can by nature be bi-directional, e.g. John and Jane are siblings, or uni-directional, e.g. John is the owner of Buddy, a dog. Therefore, a direction is defined for each of the relationships in the system.


When users share an asset in real-life (i.e. they “have a relationship” with the asset), they can also share its corresponding digital resource. The resulting digital network can then be used to: 

  • determine which access rights a user has for the digital resources related to these real-life assets, and 
  • connect people (e.g. a smart lock owner can be connected with professionals such as the vendor, technicians, and the alarm center).

ReBAC with Scaled Access 

Creating and maintaining this type of network can be done centrally by the customer’s back office or can be self-managed by the users in the network. The latter allows for a fast and scalable system to manage relationships (and thus the access to protected resources). Scaled Access offers help with this so-called ReBAC by providing an API-based system to:

  1. Config API: Define and customize types of resources and relationships.
  2. ReBAC API: Create and manage users, resources, and relationships. 
  3. Authorization API: Take relationships into account to make access decisions. 

PII protection
All Personally identifiable information (PII) is persistently stored in the Identity Management user repository only. The ReBAC API does not persistently store any PII. Even though PII can temporarily occur in volatile memory, it is not kept in any database nor log of the ReBAC API.

Sign up to continue reading

You’ll get access to all of our Tech Center documentation on consent, externalised authorisation & relationships.