Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Resource Based Access Control vs Role Based Access Control

I am learning Apache Shiro, and I found this article:

The New RBAC: Resource-Based Access Control

And the author said:

.......you could assign behaviors (permissions) directly to a Role if you want. In this sense, you would still have a Role-Based Access Control security policy - it is just you would have an explicit RBAC policy instead of the traditional implicit strategy.

But that begs the question - why stop at roles? You can assign behaviors directly to users, or to groups, or to anything else your security policy might allow.

It seems that the author prefer to store the relationship of User and Permission directly instead of through a Role.

Though it seems this is simple and straightforward, I have some questions:

  1. Are there any essential differences between two of them?

  2. The Database schema.

In a Role Based Access Control, normally we use three tables to describe the relationship:

user
role
user_role

No if I use the Resource Based Access Control, what is the normal practice for building the tables?

like image 856
hguser Avatar asked Aug 26 '13 00:08

hguser


People also ask

What is the difference between system access control and role based access control?

ACL is better suited for implementing security at the individual user level and for low-level data, while RBAC better serves a company-wide security system with an overseeing administrator. An ACL can, for example, grant write access to a specific file, but it cannot determine how a user might change the file.

What are the two types of role based access control?

Technical – assigned to users that perform technical tasks. Administrative – access for users that perform administrative tasks.

What is meant by role based access control?

What is role-based access control? Role-based access control (RBAC) is a method of restricting network access based on the roles of individual users within an enterprise. RBAC ensures employees access only information they need to do their jobs and prevents them from accessing information that doesn't pertain to them.

What are the 3 types of access control?

Three main types of access control systems are: Discretionary Access Control (DAC), Role Based Access Control (RBAC), and Mandatory Access Control (MAC).


1 Answers

This is the first time I hear of resource-based access control.

I would be extremely careful in going down this path. In the world of authorization there are essentially 2 standards:

  • Role-based access control (RBAC) as standardized by NIST and implemented in thousands of apps and frameworks with support from the main vendors (CA, Oracle, IBM...)
  • Attribute-based access control (ABAC) as being standardized by NIST (also here) and equally well implemented by vendors such as IBM, Oracle, and Axiomatics which is where I work.

Resource-based access control seems to be a model invented by Stormpath and supported by them only. It may be good but it will only work with their environment.

Role-based and Attribute-based access control are well accepted paradigms supported by NIST and other standardization bodies such as OASIS (where SAML and XACML were defined 10 years ago and are still supported today).

The question to you is: why is role-based access control not enough for you? Do you have a role explosion issue? Is it not expressive enough? Do you need to implement relationships between users, resources, and context?

ABAC and XACML can let you do that. I posted a simple video a while back on YouTube that deals with attribute-based access control. Have a look.

The bottom line is that RBAC and ABAC are standards that work across multiple applications and layers. Resource-based access control is specific to Apache Shiro only.

like image 130
David Brossard Avatar answered Oct 11 '22 14:10

David Brossard