Fine Grained Authorization versus Coarse Grained Authorization

I was recently involved in a conversation where someone asked the question what is FGA (Fine Grained Authorization) versus Coarse Grained Authorization(CGA)?  From their perspective, there was just authorization.  Further distinction was not needed.

In my experience, it is important to not only define the two, but also distinguish between them.  Very often, 80% or more of the time, CGA is sufficient for what most organizations need from their security model.

I consider CGA to be what you get when using RBAC (Role-Based Access Control).  In other words, an authorization decision based upon group membership (in a User Repository such as LDAP).  Anything more granular (or involving more information such as an LDAP attribute) would be considered FGA.

I like this distinction because in general, most products support CGA in a configuration driven or declarative manner.  Whereas FGA is very often a custom solution, programmatic solution, or at least much more complex.