Versions Compared

Old Version 4

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • ABAC enforces centralized management of authorization policies.

  • ABAC makes it easy to specify access rules as simple queries.

  • ABAC rules can be extraordinarily fine-grained and contextual.

  • ABAC rules can evaluate attributes of Subjects and Resources that are not inventoried by the authorization system.

  • ABAC rules need less maintenance and overhead because they do not require the creation or maintenance of the structure on which an RBAC model depends, e.g., roles and resource locations.

Figure 2 , below, shows an example of an actual ABAC policy implemented in an EmpowerID demonstration. Here, our application is asking if Alice can View Bob’s X-Ray. Our ABAC decision engine will base its decision on an elaborate ABAC policy (labeled Policies in the figure). The first policy check, Rule1, is that the action being taken is ‘View.’ The next extended requirement for Rule1 is that the company is not in ‘Emergency Mode,’i.e., in the middle of a crisis. However, to further extend the rule flexibility during a crisis, some roles may be granted additional permissions to enable those who would typically not be permitted to perform those activities to assist. The next check is only to allow ‘View ‘if the person is currently on the ‘Local Network.’ (Some sensitive activities might not be allowed if the person is outside the corporate network.) The next check confirms that the user performed a Multi-Factor Authentication (‘MFA’) with a Level of Assurance (‘LOA’) of at least ‘2’. This type of authentication refers to a stronger authentication method, like a physical token or mobile push. The policy also checks to see if the user is a member of the Doctors role and that their status is not currently set to out of office. Finally, the checks ensure that the X-Ray has neither been flagged as ‘Confidential’ nor the Subject has a relationship of the type Attending Physician.

...

Another challenge with ABAC is finding someone within the organization with the skills and knowledge to write authorization policies. To write rich, accurate, and effective policies requires both solid business knowledge and a deep understanding of security. XACML was developed 18 years ago as a standards-based language built on XML to write authorization policies. The original idea with XACML was that business users would author these policies and, in vendor marketing and some analyst circles, this idea persists to this day. The notion that business users would know best how to determine who should be able to do what from a business activity perspective is, after all, entirely logical. However, writing XACML policies is extremely complex. and most business users simply do not possess the time to write IT policies.

Insert excerpt
IL:External Stylesheet
IL:External Stylesheet - Test
nopaneltrue
Insert excerpt
IL:External Stylesheet
IL:External Stylesheet - Test
nopaneltrue

...

See Also

What is Role Based Access Control?

What is Policy Based Access Control?

EmpowerID Hybrid Access Control (RBAC, ABAC, and PBAC)

What are Access Levels?

What are EmpowerID Operations?

What are Resources and Resource Types?