Menu
for a proof of concept i want to store rights. I know there are different ways of access control (DAC, MAC, RBAC,..). My first idea was using a database, but I'm looking for some more etablished standards like XACML but unfortunately I have not been able to find some real alternatives. thanks for any tipps!
722
XACML is popular as a fine grain authorization method among the community. XACML describes both an access control policy language, request/response language and reference architecture. The policy language is used to express access control policies (who can do what when).
The policies are acquired via the Policy Retrieval Point (PRP) and managed by the Policy Administration Point (PAP). If needed it also retrieves attribute values from underlying Policy Information Points (PIP). XACML is structured into 3 levels of elements: Rule. A policy set can contain any number of policy elements and policy set elements.
XACML stands for "eXtensible Access Control Markup Language". The standard defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies.
The implementation of delegation is new in XACML 3.0. The delegation mechanism is used to support decentralized administration of access policies. It allows an authority (delegator) to delegate all or parts of its own authority or someone else's authority to another user (delegate) without any need to involve modification of the root policy.
First, take a step back and look at comparable items.
In access control you have different models that have come up with time. Historically you first had DAC and MAC. You had the notion of access control lists (also known as identity-based access control or IBAC).
Then suddenly, the sole identity of a user was no longer enough. We started to organize users into roles and groups. That led to the creation of RBAC or role-based access control which NIST formalized into a standard.
Fast forward 10+ years and roles are not enough anymore. ACLs and RBAC are too user-centric. They do not cater for context or relationships. They are not fine-grained enough. A new model called ABAC or attribute-based access control emerges. NIST is also in the process of standardizing ABAC. ABAC is capable of implementing any type of access control requirement and can cater for user, resource, action, and context attributes.
You can read more on ABAC here.
So, what about XACML? XACML - the eXtensible Access Control Markup Language - is an implementation of the ABAC model. It is the most widely spread implementation of ABAC. You ask whether there are alternatives. Some that come to mind include:
IN practice though, most ABAC implementations I have seen use XACML or a mix of home-grown code + RBAC. Needless to say, the latter doesn't really scale well and is hard to maintain.
If you want to learn more, check out the following resources:
176
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
