Don’t get me wrong, everyone needs at least RBAC, but it has limitations and doesn’t work well with instance data in the authorization expression. This perceived need leads me to look for case studies describing large-scale deployments of ABAC.
For example I’d like to read about:
A global phone company that controls ac […]
It seems every year there’s a new protocol for handling security. I was first sucked down into this black hole in the ’90’s. Few standards back then. Now, so many years and protocols have passed…
https auth, x.509 auth, CSIv2, spnego, liberty, saml, ws-*, xacml, openid, oauth, uma
All said to hold great prom […]
Of late, on a quest, to educate the info sec community, the definition of RBAC. Not the first time. A couple years back, this role-infused rant:
Using Roles for Access Control is Not Role-Based Access Control
And before that this:
An Introduction to Role-Based Access Control
But my efforts have fallen on deaf ears. One of the most p […]
Security Access Control Engine – How & Why
The OpenLDAP Accelerator is a Policy Decision Point that resides inside the slapd process. This presentation – “Introducing a Security Access Control Engine” – explains how it works and why it’s important. We’ll explore ideas of protocol standardization […]
As engineers, we are often encouraged to use the right tool for the job. Maybe that is because we tend to grow too attached to the familiar. When we’ve got a hammer, everything looks like a nail.
Apache Directory Server is one of those tools that is often overlooked. This is unfortunate because it’s a high functioning LD […]
Announced just this week: Apache Fortress 1.0-RC42 released. What, is this some kind of joke? Why would a project go thru 42 iterations of release candidates just for a 1.0 designation? No joke here unless you find our efforts to create a simple, useful and robust access management solution funny. Before that 1.0 label gets used, […]
Network traffic encrypted using an RSA-based SSL certificate may be decrypted if enough SSLv2 handshake data can be collected. Exploitation of this vulnerability—referred to as DROWN in public reporting—may allow a remote attacker to obtain the private key of a server supp […]
A question that has been lingering. It’s fair game, but before I get around to actually answering, let’s remember how we got here.
Before the first open source iam product existed we had standard policy enforcement protocols in use. Examples include Java’s ee security & jaas. Unix had PAM, sudo a […]
Within the past few days the internet has flooding with news and discussion of a recent OpenSSL vulnerability with far reaching impact (details). The good news here at Symas is that none of our current nor prior product releases are susceptible to this particularly nasty bug which affects versions of OpenSSL we don’t use at this tim […]
ANSI RBAC Explained
Misnomers abound as to what constitutes a working Role-Based Access Control (RBAC) system. With ANSI RBAC, Groups are not Roles and resource connections not Sessions. This paper explains what ANSI RBAC is and how it can be applied to existing problem domains. It dispels longstanding myths persistent within th […]
No more posts to show