docs: add weaknesses of ABAC

author: mo khan <mo@mokhan.ca> 2025-03-24 12:36:04 -0600
committer: mo khan <mo@mokhan.ca> 2025-03-24 12:36:04 -0600
commit: c866f5e8fe3d3d5fd311711bfc07d23ecfec3cd1 (patch)
tree: dff8a8d9de5b5a2976b11350fee827de2e444281 /doc/share/authz/ABAC.md
parent: 28c2dbec1f9c5dcb741eb564de919ab32a631fc6 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/doc/share/authz/ABAC.md b/doc/share/authz/ABAC.md
index ed6e4ad..791fdef 100644
--- a/doc/share/authz/ABAC.md
+++ b/doc/share/authz/ABAC.md
@@ -38,6 +38,14 @@ The range of an attribute is bounded or not:
 * Infinite Domain Attribute: Range of this attribute type is a countably
   infinite set of attribute values.
 
+## Weaknesses
+
+It is often claimed that attributes can express relationships, and indeed this
+is trivial for direct relationships. However, the use of indirect relations,
+also called multilevel or composite relations, is fundamental to ReBAC. It is
+hard to see how ABAC can express long chains of relationships. It has been
+suggested that ReBAC emerged to overcome this shortcoming of attributes.
+
 ## See Also
 
 * [Classifying and Comparing Attribute-Based and Relationship-Based Access Control][5]
author	mo khan <mo@mokhan.ca>	2025-03-24 12:36:04 -0600
committer	mo khan <mo@mokhan.ca>	2025-03-24 12:36:04 -0600
commit	c866f5e8fe3d3d5fd311711bfc07d23ecfec3cd1 (patch)
tree	dff8a8d9de5b5a2976b11350fee827de2e444281 /doc/share/authz/ABAC.md
parent	28c2dbec1f9c5dcb741eb564de919ab32a631fc6 (diff)