Questions tagged [abac]

Attribute Based Access Control (ABAC) is an access control method based on attributes (key-value pairs) that are used inside policies and rules to express access control logic.

Attribute Based Access Control (ABAC) is an access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions.

Source: Guide to Attribute Based Access Control (ABAC) Definition and Considerations

In short, ABAC is an evolution of the role-based access control model (rbac). Where RBAC focuses on the user, its role(s), permissions, and optionally group(s) to define authorization logic, ABAC uses attributes and policies to define access control logic.

Attributes are key-values pairs e.g. role==manager or citizenship==Swedish. Attributes can describe:

the user
the resource or object being accessed / requested
the action being attempted (view, delete, approve...)
contextual data such as the time of the day, the user's IP, the authentication method...

xacml is an example of a standard which implements ABAC. alfa is a pseudo-code that can be used to design and implement ABAC policies.

286 questions

votes

1 answer

Attribute Based Access Control (ABAC) in a microservices architecture for lists of resources

I am investigating options to build a system to provide "Entity Access Control" across a microservices based architecture to restrict access to certain data based on the requesting user. A full Role Based Access Control (RBAC) system has already…

microservices abac

asked Feb 18 '20 at 05:40

Gary MacPherson

votes

3 answers

Spring Security and ABAC (Attribute Based Access Control)

We have a medium sized business app and we use Spring Security roles and permissions (RBAC) heavily with a big kludge to turn roles on and off for certain instances plus rules hidden in SpEL within @PreAuthorize tags. I think what we have actually…

spring-security rbac xacml abac

asked Aug 14 '15 at 07:40

salk31

votes

2 answers

Alternatives for Roles/Claims Access Control Systems

I am developing REST API for the growing system. And in general Role/Claims Access Control work perfecly like this. [HttpGet] [Route("settings")] [Authorization(Type = AuthorizationType.Admin, Permission = Permission.StoreSettings)] public…

asp.net entity-framework-6 authorization access-control abac

asked Apr 18 '16 at 23:18

Yaroslav Veremenko

votes

2 answers

using open policy agent (OPA) as an ABAC system

I have a project that requires ABAC for access control for my projects resources. I've been looking at OPA and authzforce as options to implement ABAC and OPA looks like it might be less complicated than authzforce. I see that OPA compares itself to…

authorization xacml abac alfa open-policy-agent

asked Aug 01 '19 at 10:20

zero

2,999
9
42
67

votes

2 answers

RBAC/ABAC via XACML policies

I am studying about various types of access control models and came across to know that abac and rbac are the popular ones. I've a basic scenario for one of my project and I couldn't understand should I go with RBACor ABAC. Obviously RBAC is subset…

authorization rbac xacml abac wso2-identity-server

asked Dec 21 '18 at 11:06

Haris Qurashi

2,104
1
13
28

votes

1 answer

How to store rights? alternatives to XACML

for a proof of concept i want to store rights. I know there are different ways of access control (DAC, MAC, RBAC,..). My first idea was using a database, but I'm looking for some more etablished standards like XACML but unfortunately I have not been…

authorization access-control xacml abac

asked Oct 27 '14 at 18:57

btzs

1,048
3
14
17

votes

3 answers

Fine-grained authorization for web applications

I have a C# .net application which servers both company's internal users and external customers. I need to do fine-grained authorization like who accesses what resource. So I need something like resource-based or attribute-based rather than a…

authorization xacml abac

asked Nov 02 '11 at 22:04

kaptan

3,060
5
34
46

votes

1 answer

With ABAC/XACML how do you protect resources in reports/large result sets?

How have folks used an abac approach when running reports or even just selecting multiple records from a DB? For instance, if you have a policy that states: Doctors can only view patients in their hospital Obviously the efficient way to implement…

authorization access-control xacml abac alfa

asked Apr 26 '16 at 19:18

jbd

votes

1 answer

Database design: RBAC or ABAC?

I have a SaaS service where multiple users can collaborate with each other. Till now users under the same subscription account could share the same database and view/edit/delete everything from each other. Now I'd like to implement a permission…

database-design permissions user-permissions rbac abac

asked Aug 26 '19 at 16:15

Gianluca Ghettini

11,129
19
93
159

votes

2 answers

ABAC with keycloak - Using Resource attributes in policy

What I am trying to achieve Protect a resource in Keycloak with policy like: if (resource.status == 'draft') $evaluation.grant(); else $evaluation.deny(); Going by their official documents and mailing list responses, it seems attribute based…

keycloak abac keycloak-services

asked Oct 24 '16 at 12:42

dubes

5,324
3
34
47

votes

3 answers

Access control design patterns

I'm working on a PHP application, and I'd like to add access control to some of my objects. I didn't tag this question as PHP, as I feel this question is not language specific. Say I have a 'Service class' abstract class Service { } Many…

design-patterns authorization access-control rbac abac

asked Dec 17 '09 at 11:10

Evert

93,428
18
118
189

votes

1 answer

implementing ABAC in nodejs/react from scratch

I have a project that I need ABAC implemented in. I've been searching the internet for information on how ABAC works specifically from a Nodejs standpoint. I have an understanding of the basic concepts of ABAC but not really how to implement it…

mysql node.js rest express abac

asked Jul 08 '19 at 12:41

zero

2,999
9
42
67

votes

2 answers

How to debug ABAC to RBAC transition in a GKE kubernetes cluster?

Where does GKE log RBAC permission events? On Google Container Engine (GKE) clusters with kubernetes version v1.6 enable RBAC authorization per default. Apparently ABAC is enabled as fallback authorization as well in order to ease the transition of…

kubernetes google-kubernetes-engine rbac abac

asked May 11 '17 at 09:39

Johannes Kohnen

votes

2 answers

Keycloak set group as owner of resource

I am new to Keycloak and I try to use it as authentication server in my solution. I have the following entity's model: the devices are owned by a particular company to which some users belong. User with role admin can grant permission for viewing…

authorization keycloak abac

asked Jun 29 '17 at 13:37

Kirill Liubun

1,965
1
17
35

votes

3 answers

How to implement Attribute based Access Control (ABAC) in PHP

I just find one framework of AT&T to build ABAC. This framework use XACML following XML format to create rules. But this framework just implement for Java. However, I 'm working with PHP and I am using JSON to write rules. Is my solution correct?…

php json xacml abac

asked May 03 '17 at 11:22

Kanko

2 3

…

19 20 Next