Build a Maturity Path:
Ensure Successful Migration from RBAC to ABAC
Leverage ABAC as your foundation so you can scale with a Zero Trust approach. Rely on RBAC for identity management and enablement instead of systems and implementation.
Okera is designed to support ABAC with very expressive policies.
Ranger was designed primarily for RBAC, but with ABAC as an afterthought. Broad adoption of ABAC is essential to control policy growth at scale.
Okera is storage and compute tool agnostic, which is essential in heterogeneous environments. This guarantees policies are consistently enforced
Ranger is designed to define policies per tool which leads to policy drift, excessive management costs, and complexity in moving queries across systems, for example once for Databricks and once again for Amazon EMR.
Okera provides enforcement patterns with a Zero Trust approach.
Okera handles temporary S3 credentials management, which eliminates the need for service IAM roles. With Ranger, some enforcement patterns (for example on Amazon EMR) require service IAM roles, resulting in over privileged access to data.
Why Companies Have to Evolve from RBAC to ABAC as a Core Pattern
Whitepaper by Nik Acheson on the evolution from RBAC to ABAC.