Short introduction to Access Control – Part 1

(Short) Story of Access Control

Access control can be thought of as a way to selectively restrict access to a specific resource. The actual process of obtaining the access to the resource is know as authorization.

Over the course of several decades, several models of access control systems have been developed. Chief among them is the Role-Based Access Control model (RBAC).

Role-Based Access Control

Role-Based Access Control (RBAC) is a widely used access control system whereby roles are created for a set of people, say along the lines of job functions. Permissions are then associated with these roles to access and perform actions on resources. The abstraction away from users to a higher-order “role” makes it easier to manage users when they join, leave or change departments etc.

RBAC has been particularly useful in scenarios where the concept of subject, roles, permission and objects existed beforehand and where policies have been modeled to reflect such a setup. RBAC can also be configured to implement Mandatory Access Control (MAC) and Discretionary Access Control (DAC) policies.

While RBAC has been around for a long time and has proven widely useful in actual real-life scenarios, it is not without limitations.

Foremost among the limitation is that RBAC policies are limited by the abstraction of roles and permission, leading to the inability to express fine- grained access control rules and policies. For example, a rule like “Allow doctor access to patient records if the doctor is assigned as caregiver to the patient or if the doctor is working in the ER” is hard to express and enforce purely using RBAC.

Another limitation is the phenomenon of “role explosion” whereby a large number of roles need to be created to enforce rules that need finer granularity than that provided by role, roles being inherently assigned to operations and data types.

In order to provide finer grained access control capabilities that can utilize contextual information better than that possible in RBAC, Attribute Based Access Control has been proposed (ABAC).

Attribute-Based Access Control

Attributes are sets of labels or properties that describe all aspects of entities that must be considered during the authorization process. ABAC uses attributes as building blocks in a structured language that can be used to define access control rules and to describe access requests.

Examples of attributes include the username of the user, their clearance, role, and location etc., classification of the object/resource, its status, type etc., time of the day, etc.

eXtensible Access Control Markup Language (XACML) is one of the most prominent ABAC systems: in the following blog posts we will look into the details of XACML.

Related Articles

Getting started with Zero Trust using dynamic authorization | Dynamically Speaking
Dynamically Speaking
Zero Trust. It’s everywhere. It’s a methodology that’s been around for years, and we are now seeing a significant uptick in the number of enterprises...
The case for dynamic authorization in banking and finance
Attribute Based Access Control (ABAC)
More than other organizations, banks, and financial institutions face the highest levels of scrutiny when it comes to how they protect critical assets and sensitive...
Response to White House meeting on cybersecurity and NIST updates | Dynamically Speaking
Dynamically Speaking
Our customers tell us constantly – security challenges continue to evolve and become more complex almost daily. It’s why we engage in conversations with enterprises...