Short introduction to Access Control – Part 1

(Short) Story of Access Control

Access control can be thought of as a way to selectively restrict access to a specific resource. The actual process of obtaining the access to the resource is know as authorization.

Over the course of several decades, several models of access control systems have been developed. Chief among them is the Role-Based Access Control model (RBAC).

Role-Based Access Control

Role-Based Access Control (RBAC) is a widely used access control system whereby roles are created for a set of people, say along the lines of job functions. Permissions are then associated with these roles to access and perform actions on resources. The abstraction away from users to a higher-order “role” makes it easier to manage users when they join, leave or change departments etc.

RBAC has been particularly useful in scenarios where the concept of subject, roles, permission and objects existed beforehand and where policies have been modeled to reflect such a setup. RBAC can also be configured to implement Mandatory Access Control (MAC) and Discretionary Access Control (DAC) policies.

While RBAC has been around for a long time and has proven widely useful in actual real-life scenarios, it is not without limitations.

Foremost among the limitation is that RBAC policies are limited by the abstraction of roles and permission, leading to the inability to express fine- grained access control rules and policies. For example, a rule like “Allow doctor access to patient records if the doctor is assigned as caregiver to the patient or if the doctor is working in the ER” is hard to express and enforce purely using RBAC.

Another limitation is the phenomenon of “role explosion” whereby a large number of roles need to be created to enforce rules that need finer granularity than that provided by role, roles being inherently assigned to operations and data types.

In order to provide finer grained access control capabilities that can utilize contextual information better than that possible in RBAC, Attribute Based Access Control has been proposed (ABAC).

Attribute-Based Access Control

Attributes are sets of labels or properties that describe all aspects of entities that must be considered during the authorization process. ABAC uses attributes as building blocks in a structured language that can be used to define access control rules and to describe access requests.

Examples of attributes include the username of the user, their clearance, role, and location etc., classification of the object/resource, its status, type etc., time of the day, etc.

eXtensible Access Control Markup Language (XACML) is one of the most prominent ABAC systems: in the following blog posts we will look into the details of XACML.

Related Articles

The one with all the authorization vendors | Dynamically Speaking
Dynamically Speaking
Does it feel as though everyone’s suddenly talking about authorization? We think so too and asked Axiomatics President & CCO Jim Barkdoll his thoughts on...
The one about identity-first security | Dynamically Speaking
Dynamically Speaking
Few have their finger on the pulse of all things Identity and Access Management (IAM) like Jackson Shaw, Chief Strategy Officer for Clear Skye. In...
The Log4j vulnerability – What you need to know
Customer Alerts
As many of you know, on December 9, 2021 the Apache Log4j vulnerability (CVE-2021-4422) was discovered, affecting somewhere between 0 and 3 billion-plus devices currently...