
Don’t get me wrong, everyone needs at least RBAC, but it has limitations and doesn’t work well with instance data in the authorization expression. This perceived need leads me to look for case studies describing large-scale deployments of ABAC.
For example I’d like to read about:
A global phone company that controls access to their cellular accounts using ABAC.
National retail chain that uses it at the point-of-sale.
Multi-national financial institution controlling payments over the Internet.
Large medical facility controlling patient data in real-time.
Something with millions of users and thousands of requests a second. I was unsuccessful finding one like that. I did find a few published by vendors, single app usage, low volumes.
Why no case studies? I can speculate it’s because adoption has been disappointing slow.1
FOOTNOTES
1. NCCOE discussion and impediments (to XACML/ABAC adoption). Martin Smith. April 4, 2016.
Comments