diff options
Diffstat (limited to 'doc/share')
| -rw-r--r-- | doc/share/authz/ABAC.md | 8 | ||||
| -rw-r--r-- | doc/share/authz/POLICY.md | 9 |
2 files changed, 15 insertions, 2 deletions
diff --git a/doc/share/authz/ABAC.md b/doc/share/authz/ABAC.md index ed6e4ada..791fdeff 100644 --- a/doc/share/authz/ABAC.md +++ b/doc/share/authz/ABAC.md @@ -38,6 +38,14 @@ The range of an attribute is bounded or not: * Infinite Domain Attribute: Range of this attribute type is a countably infinite set of attribute values. +## Weaknesses + +It is often claimed that attributes can express relationships, and indeed this +is trivial for direct relationships. However, the use of indirect relations, +also called multilevel or composite relations, is fundamental to ReBAC. It is +hard to see how ABAC can express long chains of relationships. It has been +suggested that ReBAC emerged to overcome this shortcoming of attributes. + ## See Also * [Classifying and Comparing Attribute-Based and Relationship-Based Access Control][5] diff --git a/doc/share/authz/POLICY.md b/doc/share/authz/POLICY.md index 4e809bb0..2511d670 100644 --- a/doc/share/authz/POLICY.md +++ b/doc/share/authz/POLICY.md @@ -20,8 +20,6 @@ authorized to perform an action against a resource. end ``` -* [Zanzibar](./ZANZIBAR.md) - ## Policy Language A policy language facilitates: @@ -29,6 +27,8 @@ A policy language facilitates: 1. the specification of composite policies, which in turn forms the basis of trust delegation. 1. **the static analysis of policies and system configuration.** + + ## Security Context/Scope 1. Single resource @@ -59,3 +59,8 @@ end ``` [Social Network Graph](./sns.dot.png) + +## See Also + +* [Zanzibar](./ZANZIBAR.md) +* [Dafny](https://dafny.org) |