The second part to the presentation focus on an introduction to Attribute-based access control or ABAC. ABAC can be seen as the next step after Role-based access control (RBAC) in the evolution of authorization. ABAC extends the capabilities of RBAC to focus not only on user attributes (identity, role, title, group) but also on other attributes of the user, the resource, and even the context (e.g. time of the day, IP, location). Most importantly ABAC lets developers easily implement relationships e.g. doctors can access a medical record if they have a care relationship with the owner (patient) of the medical record.
Attribute-based access control therefore lets developers define the right authorization scenarios they care about. And ABAC doesn’t come along. ABAC is enabled through a policy-based approach (or PBAC for the sake of yet another acronym). That led us to part III of the presentation, an introduction to XACML.
It’s XACML, not whack-a-mole, and it stands for eXtensible Access Control Markup Language. XACML is an OASIS standard (OASIS is the organization behind SAML and many other standards). It’s the de facto standard for policy- and attribute-based access control. One of the main parts to XACML is its architecture and the way the authorization is queried: it’s always via a yes or a no question. Can Alice do X? Yes she can. This makes integration extremely simple and lightweight. And that, of course, makes developers happy.
In the final part to the presentation, we focused on examples and integrations with existing tooling and APIs. For instance, we looked at using XACML-based authorization for Java servlets, JAX-WS services, and even annotations-driven authorization.