top of page
Matthew Hardin

RBAC and ABAC

Symas Corporation recently merged with Joshua Tree Software, developers of the Fortress Role-Based Access Control (RBAC) Open Source Software suite. Fortress is based on OpenLDAP and has been shown to work well with Apache Directory Server (ApacheDS) as well. Fortress is the only production-ready implementation of the ANSI INCITS 359-2004 RBAC Standard available today.


There has recently been a renewal of interest in Attribute-Based Access Control or ABAC with some writers implying that ABAC obsoletes or supersedes RBAC. When we read the various articles and postings, we find much to think about but come away convinced that RBAC continues to address a style of security policy definition and administration quite common in many enterprises. The capabilities standardized by ANSI represent a powerful and relatively comprehensive base of capability in support of that style of access control. We think that claiming that ABAC replaces RBAC is going too far.


ABAC appears to bring a more complex, computationally intensive style of policy expression and evaluation into play. It seems to point to more complex administrative and auditing challenges, as well. In some ways, ABAC appears to be addressing a need for “dynamic permissioning” that is both more deductive than declarative and more a matter of logic among attribute values and, possibly, historical data. This is a form of rule-engine that is likely very valuable for application developers implementing more complex business rules than are typical of resource access policies.


We find both of these approaches to be interesting and potentially valuable in their respective use-cases and look forward to participating in the evolution of them both.

127 views0 comments

Recent Posts

See All

The Achilles Heel of LRU Caches

Ever since we released LMDB, our advice to software designers has been "don't do application level caching. Let the kernel handle it for...

Additions and Subtractions

Symas is pleased to announce that its OpenLDAP builds, which have long been available for the x86_64 architecture, are now joined by a...

OpenLDAP 2.6 Long Term Support Announcement

The OpenLDAP Project is pleased to announce the promotion of OpenLDAP 2.6 from Feature Release to Long Term Support (LTS), effective as...

Comments


bottom of page