Comments on: ABAC + RBAC = ARRRRR-BAC http://smokingmonkey.org/?p=13 Ponderings on Identity Management Mon, 30 Aug 2010 12:25:44 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Mat Hamlin http://smokingmonkey.org/?p=13&cpage=1#comment-10 Mat Hamlin Fri, 30 Oct 2009 14:09:49 +0000 http://smokingmonkey.org/?p=13#comment-10 <p>"From the perspective of entitlement enforcement, the basic jist is that any system that is going to work for a customer needs to support both ABAC and RBAC. Policy enforcement decisions need to take in to consideration role definitions and sometimes they also need to incorporate dynamic attributes from applications."</p> <p>Amen.</p> <p>We cannot assume that all entitlement enforcement decisions can be made based on Roles only.. It's just not reality. There will always be policies that define access based on a particular entitlement and/or context. </p> "From the perspective of entitlement enforcement, the basic jist is that any system that is going to work for a customer needs to support both ABAC and RBAC. Policy enforcement decisions need to take in to consideration role definitions and sometimes they also need to incorporate dynamic attributes from applications."

Amen.

We cannot assume that all entitlement enforcement decisions can be made based on Roles only.. It’s just not reality. There will always be policies that define access based on a particular entitlement and/or context.

]]> By: Daniel Raskin http://smokingmonkey.org/?p=13&cpage=1#comment-9 Daniel Raskin Fri, 30 Oct 2009 03:18:20 +0000 http://smokingmonkey.org/?p=13#comment-9 <p>Hi Babak. In the 3rd paragraph I'm simply stating what many critics of RBAC say (i.e.--ABAC proponents). In the following paragraph I'm saying that debating "pure" RBAC is silly as you only see it in textbooks. My take is that it's an academic argument because you will rarely, if ever, come across an environment that is purely RBAC. In fact, it's usually the exact opposite problem. An org is trying to get some semblance of roles in place just to get a basic foundation for compliance. If that makes me a proponent of ABAC then so be it, but I don't really think those that are proponents of RBAC really believe that all attributes will be part of a role. Anyway, thanks for the comment. </p> Hi Babak. In the 3rd paragraph I’m simply stating what many critics of RBAC say (i.e.–ABAC proponents). In the following paragraph I’m saying that debating "pure" RBAC is silly as you only see it in textbooks. My take is that it’s an academic argument because you will rarely, if ever, come across an environment that is purely RBAC. In fact, it’s usually the exact opposite problem. An org is trying to get some semblance of roles in place just to get a basic foundation for compliance. If that makes me a proponent of ABAC then so be it, but I don’t really think those that are proponents of RBAC really believe that all attributes will be part of a role. Anyway, thanks for the comment.

]]> By: Babak Sadighi http://smokingmonkey.org/?p=13&cpage=1#comment-8 Babak Sadighi Thu, 29 Oct 2009 08:01:03 +0000 http://smokingmonkey.org/?p=13#comment-8 <p>Hi Daniel,</p> <p>I am not sure if I understand this correctly. In paragraph 3 you say that the critics saying that we need roles plus other attributes, and then in the next paragraph you say that the debate is self-created and that we simply need roles plus attributes! Isn't that a repetition of the critic that you somehow object?</p> <p>There is actually no RBAC vs. ABAC as such, but the debate is if we solve some of the issues that a pure-RBAC model can be avoided by extending the model to talk about other attributes than only the roles of users. </p> <p>It is good that OpenSSO has now entitlement management capabilities.</p> <p>Regards,</p> <p>Babak </p> Hi Daniel,

I am not sure if I understand this correctly. In paragraph 3 you say that the critics saying that we need roles plus other attributes, and then in the next paragraph you say that the debate is self-created and that we simply need roles plus attributes! Isn’t that a repetition of the critic that you somehow object?

There is actually no RBAC vs. ABAC as such, but the debate is if we solve some of the issues that a pure-RBAC model can be avoided by extending the model to talk about other attributes than only the roles of users.

It is good that OpenSSO has now entitlement management capabilities.

Regards,

Babak

]]>