Yesterday, I delivered the keynote to a federated attribute-based access control (ABAC) symposium. For those of you keeping score at home this is the 3rd of *BAC approaches for authorizing individuals. The 1st *BAC, IBAC – identity-based access control – was essentially so trivial that it never got any good marketing*. The 2nd, RBAC – role-based access control – was so popular as to get its own site at NIST.
The idea behind ABAC is that a policy-decision point (PDP) using a set of evaluation criteria examines the attributes that a digital persona presents. The PDP decides whether given the set of attributes if the persona is authorized to perform the requested action. (I’m using persona here but keep in mind that this could be a device or service asking to do something and not strictly a person-like object.) This style of architecture allows the PDP to consider context as well, such a time of day, authenticator time, transaction value, and so on. Just in case you think you seen this before under and different name – finer-grained authorization systems can perform ABAC and depending on who you talk to people will freely swap between the two concepts. (This is damn confusing btw.)
I heard something at this symposium that bothered me. Participants swept under the rug the matters of the relationships between the individual, their home organization, and the relying parties. Instead, I heard people saying, “Well as long as the attributes are good, that’s all I care about.” This reminded me of the following blog post I read.
True, relationships can be represented as an attribute, but the two are different things. Not considering relationships and only focusing on which attributes mean what puts you in a situation to loose the identity forest for the trees. Focusing solely on relationships won’t enable you to write meaningful authorization policies. You’ve got to consider both attributes and relationships.
For your reading pleasure, here’s the presentation I gave. It contains a sneak-peak at Bob’s presentation on the emerging identity architecture. BTW, if you come to Catalyst next week, you’ll get to hear him deliver the complete version which is something not to miss!
PS – I will not be giving out a prize for someone who comments that I didn’t mention ZBAC. That includes wise-ass Catalyst speakers… you know who you are.
* Yes, I know that’s a major over-simplification…