diff options
Diffstat (limited to 'doc/share/authz/ABAC.md')
| -rw-r--r-- | doc/share/authz/ABAC.md | 57 |
1 files changed, 0 insertions, 57 deletions
diff --git a/doc/share/authz/ABAC.md b/doc/share/authz/ABAC.md deleted file mode 100644 index 791fdeff..00000000 --- a/doc/share/authz/ABAC.md +++ /dev/null @@ -1,57 +0,0 @@ -# Attribute-Based Access Control (ABAC) - -> Attribute-based access control (ABAC) is considered one of th emost generalized -> forms of access control as it can capture the salient features of discretionary -> access (DAC), mandatory access control (MAC) and role-based access control -> (RBAC) using appropriate attributes such as access control lists, security -> labels and roles respectively. [5] - -ABAC has been studied for a long time and many different formal models have been -proposed. - -ABAC is a logical access control model that is distinguishable because it -controls access to objects by evaluating rules against the attributes of -entities (subject and object), operations, and the environment relevant to a -request. - -As new subjects join the organization, rules and objects do not need to be -modified. As long as the subject is assigned the attributes necessary for access -to the required objects, no modifications to existing rules or object attributes -are required. - -There can be three types of attributes: - -1. Atomic-values or single valued attribute: -1. Set-valued or multi-valued attribute: -1. Structured Attribute: - -Attributes can be either: - -* Entity Attribute: a thing that can be distinctly identified. -* Non-entity Attribute: whose range is not defined on the set of entities in the - system. - -The range of an attribute is bounded or not: - -* Finite Domain Attribute: Range of this attribute type is a finite set of - attribute value. -* Infinite Domain Attribute: Range of this attribute type is a countably - infinite set of attribute values. - -## Weaknesses - -It is often claimed that attributes can express relationships, and indeed this -is trivial for direct relationships. However, the use of indirect relations, -also called multilevel or composite relations, is fundamental to ReBAC. It is -hard to see how ABAC can express long chains of relationships. It has been -suggested that ReBAC emerged to overcome this shortcoming of attributes. - -## See Also - -* [Classifying and Comparing Attribute-Based and Relationship-Based Access Control][5] -* [A Capability-based Distributed Authorization System to Enforce Context-aware Permission Sequences][6] -* [Guide to Attribute Based Access Control (ABAC) Definition and Considerations][7] - -[5]: https://dl.acm.org/doi/pdf/10.1145/3029806.3029828 -[6]: https://dl.acm.org/doi/pdf/10.1145/3532105.3535014 -[7]: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-162.pdf |