diff options
| author | mo khan <mo@mokhan.ca> | 2025-03-17 14:45:41 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-03-17 14:45:41 -0600 |
| commit | 94d084a51172b7e3851779e9e052435084d4abfe (patch) | |
| tree | 2af690135fe184c34dedec7f34447fb12092ed40 /doc/share/authz/ABAC.md | |
| parent | f9168083b787118af5577015a3c7f9efa63c8e80 (diff) | |
docs: add notes on ABAC and weakness of RBAC
Diffstat (limited to 'doc/share/authz/ABAC.md')
| -rw-r--r-- | doc/share/authz/ABAC.md | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/doc/share/authz/ABAC.md b/doc/share/authz/ABAC.md index bfe1404..ed6e4ad 100644 --- a/doc/share/authz/ABAC.md +++ b/doc/share/authz/ABAC.md @@ -6,10 +6,44 @@ > (RBAC) using appropriate attributes such as access control lists, security > labels and roles respectively. [5] +ABAC has been studied for a long time and many different formal models have been +proposed. + +ABAC is a logical access control model that is distinguishable because it +controls access to objects by evaluating rules against the attributes of +entities (subject and object), operations, and the environment relevant to a +request. + +As new subjects join the organization, rules and objects do not need to be +modified. As long as the subject is assigned the attributes necessary for access +to the required objects, no modifications to existing rules or object attributes +are required. + +There can be three types of attributes: + +1. Atomic-values or single valued attribute: +1. Set-valued or multi-valued attribute: +1. Structured Attribute: + +Attributes can be either: + +* Entity Attribute: a thing that can be distinctly identified. +* Non-entity Attribute: whose range is not defined on the set of entities in the + system. + +The range of an attribute is bounded or not: + +* Finite Domain Attribute: Range of this attribute type is a finite set of + attribute value. +* Infinite Domain Attribute: Range of this attribute type is a countably + infinite set of attribute values. + ## See Also * [Classifying and Comparing Attribute-Based and Relationship-Based Access Control][5] * [A Capability-based Distributed Authorization System to Enforce Context-aware Permission Sequences][6] +* [Guide to Attribute Based Access Control (ABAC) Definition and Considerations][7] [5]: https://dl.acm.org/doi/pdf/10.1145/3029806.3029828 [6]: https://dl.acm.org/doi/pdf/10.1145/3532105.3535014 +[7]: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-162.pdf |