...
PBAC policies are inherently more efficient than ABAC policies because authorization decisions are not based on multiple computed and then combined local decisions. Instead, they are based on the net result of multiple policies based on relationships existing within a single database. This aspect also allows PBAC to enforce dynamic Segregation of Duties (SOD) rules, which are not entirely achievable with ABAC. A last key feature mentioned is PBAC support for “before the fact audit,” which is the ability to see who has access to a resource at any time, and not just during the real-time evaluation of a policy set.
In Figure 1 below , we have illustrates a PBAC policy that grants the Read, Edit, Print, and Delete permissions to the Doctors’ role members but with some ABAC style constraints. These constraints or policy conditions are that the company cannot be in “Emergency Mode,” the user must be accessing information from the “internal” network, and using strong MFA authentication. The main difference between this PBAC policy and ABAC is that the policy is assigned to the Doctor role. This assignment would typically be represented in a relation or graph database giving auditors a clear picture of who granted the assignment and a least a partial answer concerning what permissions members of the Doctor have been granted. The assignment is visible, tangible, and can be recertified periodically. Furthermore, it could also be added to a self-service workflow process where end-users could request it.
...
In an actual real-world implementation of PBAC, the challenge of where to acquire the attribute data used in a rich policy is the same as that with ABAC. One possible solution is to split responsibility for making the final decision between the PBAC PDP and the application itself—a “Get Permissions” PBAC query. In this model, it is assumed that the application, or Policy Enforcement Point (PEP), has access to some of the attribute data required for the policy decision. The application, or PEP, would query the Policy Decision Point (PDP) asking if the user were is authorized to perform a particular action or operation. The PBAC PDP would then return a partial answer that would be No if there were no policy assignments either to the user or their roles that authorized this action, would be No. However, if there were policies that granted the user this permission, then the PBAC response would be Yes, but with a list of the conditions or constraints under which the action would could be permitted. In this model, and assuming it has access to the data necessary to evaluate the condition constraints, it is the PEP's responsibility to enforce the rest of the decision.
Continuing with our example in Figure 30, 2 below, Dr. Alice attempts to View Bob’s X-Ray. The application/PEP asks the PDP if this should be allowed. The PDP then looks within its PBAC policy store and locates one assignment that grants Doctors this permission and one where Alice has been assigned to the Doctors role. In the PBAC assignment for Doctors granting the View permission, there are constraint conditions defined. The PDP returns a partial Yes decision to the caller, which will include conditions. The application/PEP must then lookup the needed coded or scripted attribute information and make a full decision.
...
Another model for evaluating PBAC decisions is what we term EmpowerID terms an “Access Check” query. This model is common where the policies are not overly complex and will rely on information easily accessible to the application or by an application gateway acting as the PEP. As shown in Figure 3 below, the application or PEP has all the necessary information required for policy evaluation and sends it to the PDP as part of the query. The application/PEP then asks the PDP if Alice can ‘View’ “View” Bob’s X-Ray but, because this request includes some pre-arranged information, the PDP evaluates this against its policies. Suppose If the PDP finds a PBAC policy assignment applicable to Alice or one of her roles authorizing this permission. In that case, it will first evaluate the additional information to verify that conditions are met and, if they are, then return a Yes answer.
...
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|
...