To prepare for my Catalyst roles and entitlement workshop, I thought it might be worthwhile to see how far the idea of something-based access controls (*-BAC) had progressed. It has been awhile since I have looked at role initiatives, although my inquiries tell me that interest in roles is still healthy. Roles have become an element of an identity and access governance initiative, and today are hardly spoken of in the abstract.
Roles are also high on the list of search terms, but there are some noteworthy contenders. Attributes are getting traction, policy is an up and comer, and even temporal-based access controls are getting attention. An intriguing approach to dynamically rewrite policy statements based on parameters is also emerging.
All of the continuing examination of methods to manage access is revealing. Clearly, we haven’t nailed down the right way to do this, and we may have to come to grips with the fact that there will be lots of ways. Maybe we should elevate the discussion to something called context or relationship based access control.
For any object, a set of conditions should be met to provide access such as time, attribute, role, etc. it seems we need a more flexible way to characterize all of the conditions that need to be met for access to be granted. Not attributes about the object itself but what you need to bring to the party to play.
One of the goals of entitlement management is to understand the conditions under which access should be granted. A lot of the focus in the *-BAC world is what attributes IT can provide to represent these conditions. It might make more sense to describe the conditions needed to characterize access. This will provide guidance for what techniques an organization needs to develop for to fill in the question of what type of *-BAC in needed, instead of going off on tangents to explore what kinds of *-BACs can be developed.
One of access control’s biggest challenges is that it has often been an academic exercise. Maybe we can move the discussion forward by thinking about what is needed, not just what is possible.