RBAC and ABAC
Symas Corporation recently merged with Joshua Tree Software, developers of the Fortress Role-Based Access Control (RBAC) Open Source Software suite. Fortress is based on OpenLDAP and has been shown to work well with Apache Directory Server (ApacheDS) as well. Fortress is the only production-ready implementation of the ANSI INCITS 359-2004 RBAC Standard available today.
There has recently been a renewal of interest in Attribute-Based Access Control or ABAC with some writers implying that ABAC obsoletes or supersedes RBAC. When we read the various articles and postings, we find much to think about but come away convinced that RBAC continues to address a style of security policy definition and administration quite common in many enterprises. The capabilities standardized by ANSI represent a powerful and relatively comprehensive base of capability in support of that style of access control. We think that claiming that ABAC replaces RBAC is going too far.
ABAC appears to bring a more complex, computationally intensive style of policy expression and evaluation into play. It seems to point to more complex administrative and auditing challenges, as well. In some ways, ABAC appears to be addressing a need for “dynamic permissioning” that is both more deductive than declarative and more a matter of logic among attribute values and, possibly, historical data. This is a form of rule-engine that is likely very valuable for application developers implementing more complex business rules than are typical of resource access policies.
We find both of these approaches to be interesting and potentially valuable in their respective use-cases and look forward to participating in the evolution of them both.