top of page

ABAC – Where are the Functional Specs?

Shawn McKinney

As a security architect I have long-awaited the means to express authorization policies using dynamic constraints – in a standard way. Over the years there have not been many models to choose from.

First came A Resource Access Decision Service, which had promise, but departed with CORBA.

What do you think about XACML?

Blurring the lines, supposedly XACML implements ABAC, because attributes combine with decisions.

There are commonalities across the three models:

  1. Grammar to express very fine-grained access control policies.

  2. Rules containing variables captured from subjects and resources. Facts such as location, time and date included.

  3. Adjudication when rules combine or clash.

  4. Separation into multiple components, e.g. Policy Enforcement Point (PEP), Policy Decision Point (PDP), Policy Information Point (PIP).

The promise is reuse.

So where are the functional specs? I must understand and share.

“Despite the clear guidance to implement contextual (risk adaptive) role or attribute based access control ABAC, to date there has not been a comprehensive effort to formally define or guide the implementation of ABAC” NIST – ATTRIBUTE BASED ACCESS CONTROL (ABAC)

Ruh roh.

Until formal specifications are drafted, ABAC is useless because it’s non-standard and/or proprietary.

Back to square one – awaiting an industry standard dynamic authorization model.

118 views0 comments

Recent Posts

See All

The Achilles Heel of LRU Caches

Ever since we released LMDB, our advice to software designers has been "don't do application level caching. Let the kernel handle it for...

Additions and Subtractions

Symas is pleased to announce that its OpenLDAP builds, which have long been available for the x86_64 architecture, are now joined by a...

Comments


bottom of page