top of page
  • Shawn McKinney

ABAC – Where are the Functional Specs?


As a security architect I have long-awaited the means to express authorization policies using dynamic constraints – in a standard way. Over the years there have not been many models to choose from.

First came A Resource Access Decision Service, which had promise, but departed with CORBA.

What do you think about XACML?

Blurring the lines, supposedly XACML implements ABAC, because attributes combine with decisions.

There are commonalities across the three models:

  1. Grammar to express very fine-grained access control policies.

  2. Rules containing variables captured from subjects and resources. Facts such as location, time and date included.

  3. Adjudication when rules combine or clash.

  4. Separation into multiple components, e.g. Policy Enforcement Point (PEP), Policy Decision Point (PDP), Policy Information Point (PIP).

The promise is reuse.

So where are the functional specs? I must understand and share.

“Despite the clear guidance to implement contextual (risk adaptive) role or attribute based access control ABAC, to date there has not been a comprehensive effort to formally define or guide the implementation of ABAC” NIST – ATTRIBUTE BASED ACCESS CONTROL (ABAC)

Ruh roh.

Until formal specifications are drafted, ABAC is useless because it’s non-standard and/or proprietary.

Back to square one – awaiting an industry standard dynamic authorization model.

118 views0 comments

Recent Posts

See All

Additions and Subtractions

Symas is pleased to announce that its OpenLDAP builds, which have long been available for the x86_64 architecture, are now joined by a...

OpenSSL 3

Symas is pleased to announce that all of its OpenLDAP 2.5, starting with 2.5.17-2, and its 2.6 builds, starting with 2.6.7-2, feature...

Comments


bottom of page