As a security architect I have long-awaited the means to express authorization policies using dynamic constraints – in a standard way. Over the years there have not been many models to choose from.
What do you think about XACML?
Now the buzz is Attribute-Based Access Control (ABAC).
Blurring the lines, supposedly XACML implements ABAC, because attributes combine with decisions.
There are commonalities across the three models:
- Grammar to express very fine-grained access control policies.
- Rules containing variables captured from subjects and resources. Facts such as location, time and date included.
- Adjudication when rules combine or clash.
- Separation into multiple components, e.g. Policy Enforcement Point (PEP), Policy Decision Point (PDP), Policy Information Point (PIP).
The promise is reuse.
So where are the functional specs? I must understand and share.
“Despite the clear guidance to implement contextual (risk adaptive) role or attribute based access control ABAC, to date there has not been a comprehensive effort to formally define or guide the implementation of ABAC”
NIST – ATTRIBUTE BASED ACCESS CONTROL (ABAC)
Until formal specifications are drafted, ABAC is useless because it’s non-standard and/or proprietary.
Back to square one – awaiting an industry standard dynamic authorization model.