Coarse-Grained vs Fine-Grained Access Control in IAM



Access Control in IAM

Access control is about determining who can access what. In IAM, we classify access control into two main categories:

  • Coarse-Grained Access Control
  • Fine-Grained Access Control

 

Coarse-Grained vs Fine-Grained Access Control

These are two fundamental access control strategies used in Identity and Access Management (IAM) to protect enterprise resources and data.

Aspect

Coarse-Grained Access Control

Fine-Grained Access Control

Definition

Controls access at a higher-level (module/system)

Controls access at a detailed level (fields/actions/records)

Scope

Broad, fewer rules

Granular, complex rules

Decision Criteria

Role, department, job function

User attributes + resource attributes + context

Policy Examples

“Finance users can access the Finance App”

“Finance users can view payroll data, but only update budgets”

Control Level

System/Application level

Data/Action level

 

 

What is Coarse-Grained Access Control ?

Definition:

Coarse-Grained Access Control is broad level access control. It determines whether a user can or cannot access a specific application, system, or module as a whole.

It does not consider detailed actions or data-level permissions within the application. It’s more of a “Yes/No” type of access at a high level.

 In Saviynt EIC:

In EIC, Entitlements, Application Roles, and Access Requests often represent Coarse-Grained controls when they are configured to manage access at the application or role level.

Real-Time Example (Coarse-Grained):

Let’s say your organization uses SAP.

  • A user requests access to SAP.
  • Through Saviynt EIC, an access request is raised for the “SAP Finance Module”.
  • The entitlement grants access to the entire finance module.
  • The user can now access all transactions in that module, regardless of what kind of financial data it is.

This is coarse because everyone with the same role gets the same level of access, no matter what specific data or transaction they need.

 What is Fine-Grained Access Control ?

Definition:

Fine-Grained Access Control is detailed-level access control. It allows for contextual and attribute-based access, often based on:

  • Data values (like region, department, transaction type)
  • User attributes (like role, location, seniority)
  • Specific actions (read, write, delete)

This control adds another layer of precision, restricting what exactly a user can do within the resource they already have access to.

 Real-Time Example (Fine-Grained):

The same SAP system example:

  • The user has access to the SAP Finance Module (coarse access).
  • But you want to allow the user to only approve invoices below $5,000, and only for the APAC region.
  • Saviynt implements this by enforcing fine-grained entitlements like:
    • INV_APPROVE_APAC
    • INVOICE_LIMIT_LE_5000
  • Policies in Saviynt evaluate:
    • User.region == 'APAC'
    • User.role == 'AP Specialist'
    • Invoice.amount <= 5000

If these conditions are true, the access is granted at the transaction level, otherwise denied.

This is fine-grained access, because access is conditional, contextual, and precise.

 

How They Work Together in Saviynt

  • Use Coarse-Grained Access to manage broad access based on roles or entitlements.
  • Use Fine-Grained Access for compliance, audit, and risk control, especially when dealing with:
    • Financial systems (SAP, Oracle)
    • Healthcare data (HIPAA)
    • Sensitive data (PII, customer info)

 

Key Differences

Feature

Coarse-Grained Access

Fine-Grained Access

Level

High-level (application/module)

Detailed (transaction/data/attribute)

Control

Simple role or entitlement assignment

Contextual rules, attributes, data conditions

Granularity

Low (broad access)

High (precise access)

Risk

Higher risk of overprovisioning

Reduced risk with tighter control

Example in EIC

Assigning “SAP Finance Role”

Restricting invoice approval to region and amount

Use Case

Access to full application

Access to specific data/actions within app

 

Salesforce CRM – Similar Concepts

Salesforce has built-in mechanisms that reflect coarse-grained and fine-grained access control:

πŸ”Ή Coarse-Grained in Salesforce

  • Profiles and Permission Sets
    • Define which Objects and Apps a user can access
    • Example: “Sales User” profile gives access to Leads, Accounts, Contacts

πŸ”Ή Fine-Grained in Salesforce

  • Field-Level Security – Restricts access to specific fields in an object
  • Record-Level Access using:
    • Role Hierarchy
    • Sharing Rules
    • Manual Sharing
  • Permission Set Groups – Combines different permissions
  • Object Permissions + Record Type Restrictions

Example:

  • A Sales user can access Opportunities (Object-level – Coarse)
  • But can only see opportunities from their region and cannot view Discount field (Fine)

Saviynt vs Salesforce – Access Control Model Comparison

Feature

Saviynt EIC

Salesforce CRM

Primary Purpose

Identity Governance & Administration

CRM & Business Process Automation

Coarse-Grained Mechanism

Roles, Entitlements, App Access

Profiles, Permission Sets

Fine-Grained Mechanism

ABAC, SOD policies, Custom Entitlements

Field-Level Security, Record Sharing

SOD Management

Built-in and enforced via rules

Manual

 

 

Summary

Concept

Description

Coarse-Grained

High-level access to systems or modules

Fine-Grained

Detailed, conditional access at data or transaction level

Saviynt EIC Use

Supports both via entitlements, policies, SoD, ABAC

Best Practice

Use Coarse for general access, Fine for sensitive data/actions

Real-World Pairing

SAP role for Finance (coarse) + Rule limiting invoice approvals (fine)

 

Generated image

 

 

Comments

Post a Comment

Popular posts from this blog

Accounts in Salesforce 🏒

Image
  Salesforce Sales Cloud - Understanding Accounts 🏒 What is an Account in Salesforce? πŸ€” An Account in Salesforce is like a folder that stores information about a business or an individual you are dealing with. Think of it as a contact list for businesses or customers that your company interacts with. Real-Life Example Imagine you own a furniture business πŸ›‹️. You sell to both companies (like a hotel chain) and individuals (like a homeowner). If you are selling to a company , the company (e.g., "Luxury Hotels Ltd.") is an Account in Salesforce. If you are selling to an individual , that person (e.g., "John Doe") is also an Account in Salesforce but treated as a Person Account (more on this later). Important Fields in an Account and Their Uses πŸ“‹ Each Account contains fields that store specific information. Here are some important ones: Account Name 🏷️ – The name of the business or customer. (e.g., "Luxury Hotels Ltd.") Account Type 🏒 – Define...
Read more

πŸ’₯Important points to know about role in salesforce πŸ’₯

Image
1,  Role is optional in Salesforce but at what scenario role is necessary ? πŸ’₯ In Salesforce, the Role field is technically optional, but it becomes necessary in    certain  scenarios, particularly for security, sharing, and reporting purposes. Here are the few key  situations where a Role is required and highly recommended. with out   R ole you can not achieve below.  Role-Based Sharing Rules  If your organization uses Role Hierarchy to control data visibility, assigning a role is essential. Records owned by users with a higher role can be made visible to those in lower roles, but without a role, users might not be included in these sharing rules.  Organization-Wide Defaults & Record Access  When OWD is set to Private or Public Read-Only , users without a role may not get proper access to records unless explicitly shared. Users with roles can inherit access based on the hierarchy. Reports & Dashboards  Role-based fi...
Read more

What is contract in salesforce πŸ“œ

Image
  Understanding Contracts in Salesforce πŸ“œ Welcome to Salesforce! If you’re new to the platform, don’t worry—I’ll explain Contracts in a simple, engaging, and easy-to-understand way. Think of contracts as the formal agreements between your company and your customers that define the terms of a business deal. Let’s dive in! πŸš€ What is a Contract in Salesforce? πŸ€” A Contract in Salesforce is a record of an agreement between your company and a customer. It helps track details such as: ✅ Start & End Dates – When the contract begins and ends. ✅ Terms & Conditions – The rules both parties agree to. ✅ Status – Whether the contract is still in negotiation, active, or expired. Real-life Example: Imagine you run a software company that sells subscriptions. A client subscribes to your software for 12 months. The signed contract ensures they pay monthly and receive updates, while you guarantee service for the duration. Why are Contracts Important? πŸ”‘ Contracts help bu...
Read more