blob: 791fdeffedd7b4c3dd40b3765822229ff5624db9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
# Attribute-Based Access Control (ABAC)
> Attribute-based access control (ABAC) is considered one of th emost generalized
> forms of access control as it can capture the salient features of discretionary
> access (DAC), mandatory access control (MAC) and role-based access control
> (RBAC) using appropriate attributes such as access control lists, security
> labels and roles respectively. [5]
ABAC has been studied for a long time and many different formal models have been
proposed.
ABAC is a logical access control model that is distinguishable because it
controls access to objects by evaluating rules against the attributes of
entities (subject and object), operations, and the environment relevant to a
request.
As new subjects join the organization, rules and objects do not need to be
modified. As long as the subject is assigned the attributes necessary for access
to the required objects, no modifications to existing rules or object attributes
are required.
There can be three types of attributes:
1. Atomic-values or single valued attribute:
1. Set-valued or multi-valued attribute:
1. Structured Attribute:
Attributes can be either:
* Entity Attribute: a thing that can be distinctly identified.
* Non-entity Attribute: whose range is not defined on the set of entities in the
system.
The range of an attribute is bounded or not:
* Finite Domain Attribute: Range of this attribute type is a finite set of
attribute value.
* Infinite Domain Attribute: Range of this attribute type is a countably
infinite set of attribute values.
## Weaknesses
It is often claimed that attributes can express relationships, and indeed this
is trivial for direct relationships. However, the use of indirect relations,
also called multilevel or composite relations, is fundamental to ReBAC. It is
hard to see how ABAC can express long chains of relationships. It has been
suggested that ReBAC emerged to overcome this shortcoming of attributes.
## See Also
* [Classifying and Comparing Attribute-Based and Relationship-Based Access Control][5]
* [A Capability-based Distributed Authorization System to Enforce Context-aware Permission Sequences][6]
* [Guide to Attribute Based Access Control (ABAC) Definition and Considerations][7]
[5]: https://dl.acm.org/doi/pdf/10.1145/3029806.3029828
[6]: https://dl.acm.org/doi/pdf/10.1145/3532105.3535014
[7]: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-162.pdf
|
