NIST and the NSA are holding a Privilege (Access) Management Workshop this week (ht Anil John), one of the docs contains a very short, sharp focused survey of Access Control Models (pdf). The authors have clearly been there, done that.
A key advantage to the ABAC model is that there is no need for the requester to be known in advance to the system or resource to which access is sought. As long as the attributes that the requestor supplies meet the criteria for gaining entry, access will be granted. Thus, ABAC is particularly useful for situations in which organizations or resource owners want unanticipated users to be able to gain access as long as they have attributes that meet certain criteria. This ability to determine access without the need for a predefined list of individuals that are approved for access is critical in large enterprises where the people may join or leave the organization arbitrarily.
Many access control models look great on the whiteboard and then fall down when they meet reality simply because the model assumes way too much a priori knowledge. Of course, ABAC introduces many wormholes that attacks can flow through.
The eXtensible Access Control Markup Language (XACML) is based upon XML, and was developed as a way to specify access control policy in a machine-readable format. Unfortunately, policy creation can be complicated and the use of XACML does not necessarily make the task of creating, specifying, and enforcing good access control policy any less difficult.
This has been my experience with policy tools in general, there is utility, but the tooling/standards is in most cases not making things much simpler.
The only model I've ever really seen work in any open/free/evolved setting is capabilities. This mostly shows in the sense that access control models don't work, and shine by their ability to stop work not enable it ... and simpler models (like password logins) evolve until they are like capabilities.
But of course it is highly immoral to say things like that because the compliancepolizei go loopy about the apparent lack of control.
Posted by: Iang | September 03, 2009 at 10:59 AM
Agree. I think capabilities is either Attribute based access control or Policy Based access control, depending on how policy is deployed.
the overall trend line shows more granularity in access control, which potentially yields better policy expressibility & more flexibility.
So while terminology is different I think the NIST/NSA work comes to the same conclusion, after all capabilities are expressed as attributes which are either asserted in a vanilla fashion or in the context of a policy
Posted by: Gunnar | September 03, 2009 at 11:09 AM