« Security Metrics - The Book | Main | Of Claims and Coins (or For a Few Dollars More) »


Shekhar Jha

I am completely confused by the two approaches that you have discussed. The first i.e. RBAC talks about the policy model while the second CBAC/ABAC or what ever talks about evaluation architecture. This is an apple to oranges comparision.
I do not see the CBAC and RBAC as totally incompatible approach. The CBAC itself can be built over RBAC using dynamic role mapping or by extending RBAC to support Rule-based Access Control where the claim information can be used as part of rule evaluation.
So, CBAC is supplimentary to RBAC.


No question the two approaches can be used together, in effect your RBAC logic becomes part of the PEP/PDP workflow. CBAC and RBAC are not incompatible, but based on your use cases, your knowledge and control of your environment, you may be led in one direction or the other, or you can combine both, certainly this seems where Bandit and Higgins are headed.

The comments to this entry are closed.