(Short) Story of Access Control
Access control can be thought of as a way to selectively restrict access to a specific resource. The actual process of obtaining the access to the resource is know as authorization.
Over the course of several decades, several models of access control systems have been developed. Chief among them is the Role-Based Access Control model (RBAC).
Role-Based Access Control
Role-Based Access Control (RBAC) is a widely used access control system whereby roles are created for a set of people, say along the lines of job functions. Permissions are then associated with these roles to access and perform actions on resources. The abstraction away from users to a higher-order “role” makes it easier to manage users when they join, leave or change departments etc.
RBAC has been particularly useful in scenarios where the concept of subject, roles, permission and objects existed beforehand and where policies have been modeled to reflect such a setup. RBAC can also be configured to implement Mandatory Access Control (MAC) and Discretionary Access Control (DAC) policies.
While RBAC has been around for a long time and has proven widely useful in actual real-life scenarios, it is not without limitations.
Foremost among the limitation is that RBAC policies are limited by the abstraction of roles and permission, leading to the inability to express fine- grained access control rules and policies. For example, a rule like “Allow doctor access to patient records if the doctor is assigned as caregiver to the patient or if the doctor is working in the ER” is hard to express and enforce purely using RBAC.
Another limitation is the phenomenon of “role explosion” whereby a large number of roles need to be created to enforce rules that need finer granularity than that provided by role, roles being inherently assigned to operations and data types.
In order to provide finer grained access control capabilities that can utilize contextual information better than that possible in RBAC, Attribute Based Access Control has been proposed (ABAC).
Attribute-Based Access Control
Attributes are sets of labels or properties that describe all aspects of entities that must be considered during the authorization process. ABAC uses attributes as building blocks in a structured language that can be used to define access control rules and to describe access requests.
Examples of attributes include the username of the user, their clearance, role, and location etc., classification of the object/resource, its status, type etc., time of the day, etc.
eXtensible Access Control Markup Language (XACML) is one of the most prominent ABAC systems: in the following blog posts we will look into the details of XACML.