10

for a proof of concept i want to store rights. I know there are different ways of access control (DAC, MAC, RBAC,..). My first idea was using a database, but I'm looking for some more etablished standards like XACML but unfortunately I have not been able to find some real alternatives. thanks for any tipps!

David Brossard
  • 13,584
  • 6
  • 55
  • 88
btzs
  • 1,048
  • 3
  • 14
  • 17

1 Answers1

20

First, take a step back and look at comparable items.

In access control you have different models that have come up with time. Historically you first had DAC and MAC. You had the notion of access control lists (also known as identity-based access control or IBAC).

Then suddenly, the sole identity of a user was no longer enough. We started to organize users into roles and groups. That led to the creation of RBAC or role-based access control which NIST formalized into a standard.

Fast forward 10+ years and roles are not enough anymore. ACLs and RBAC are too user-centric. They do not cater for context or relationships. They are not fine-grained enough. A new model called ABAC or attribute-based access control emerges. NIST is also in the process of standardizing ABAC. ABAC is capable of implementing any type of access control requirement and can cater for user, resource, action, and context attributes.

You can read more on ABAC here.

So, what about XACML? XACML - the eXtensible Access Control Markup Language - is an implementation of the ABAC model. It is the most widely spread implementation of ABAC. You ask whether there are alternatives. Some that come to mind include:

  • SecPal: this is (was?) a Microsoft research initiative. To the best of my knowledge, it is not used outside research.
  • Permis is a policy-based access control model. It is not widely spread either.
  • Microsoft has its own language for Windows Server called SDDL. You can read more on that from Microsoft.

IN practice though, most ABAC implementations I have seen use XACML or a mix of home-grown code + RBAC. Needless to say, the latter doesn't really scale well and is hard to maintain.

If you want to learn more, check out the following resources:

user229044
  • 232,980
  • 40
  • 330
  • 338
David Brossard
  • 13,584
  • 6
  • 55
  • 88
  • 1
    You're required to disclose your affiliation to your companies products when linking to them. – user229044 Jul 21 '17 at 00:00
  • Which I always do. I did not link to my company's product in this answer. – David Brossard Jul 21 '17 at 16:45
  • Agree with @meagar. Axiomatics branding is the first thing on your SlideShare. Please disclose your affiliation in your response. Otherwise, good stuff. – rmharrison Sep 27 '18 at 06:03
  • @DavidBrossard: On a related note, removing the email-wall from your company's [Protecting Microservices with ABAC](https://www.axiomatics.com/resources/technical-viewpoint-protecting-microservices-and-apis-with-abac-oauth-and-openid-connect/) white paper would be appreciated. – rmharrison Sep 27 '18 at 06:05
  • @DavidBrossard You most certainly did, until I [edited it out](https://stackoverflow.com/posts/26599248/revisions). – user229044 Sep 27 '18 at 11:51
  • 1
    Definitely did not intend as a product plug. The SDDL work is R&D. The Developer Blog is developer-intended. Not sales... Check my other answers and you will see I systematically disclose. – David Brossard Sep 27 '18 at 12:45
  • Definitely did not intend as a product plug. The SDDL work is R&D. The Developer Blog is developer-intended. Not sales... Check my other answers and you will see I systematically disclose. – David Brossard Sep 27 '18 at 12:45