That's a good point. I always equate ABAC to PBAC but in fact multiple systems can have policies without being entirely attribute-based. Some examples: SDDL, Ruby CanCanCan, and more. All these could be easily expressed using a more generic language e.g. ALFA or XACML On Jan 24, 2017 7:27 AM, "Natale, Bob" <RNATALE@mitre.org> wrote:
Has the group ruled out inclusion of PBAC as a fourth access control model? (I would argue for its inclusion, but am not an active contributor to the group.)
Also, I hope the group maintains the distinction between access control and authorization. This distinction is somewhat evident in Andrew’s original “taxonomy” below (but I’m not sure it’s Venn’d completely right there … but I have not considered it thoroughly (hence the “not sure” caveat)).
Avanti,
BobN
*From:* dg-idpro-bounces@kantarainitiative.org [mailto:dg-idpro-bounces@ kantarainitiative.org] *On Behalf Of *David Brossard *Sent:* Monday, January 23, 2017 5:41 PM *To:* Andrew Hughes <andrewhughes3000@gmail.com> *Cc:* dg-idpro@kantarainitiative.org *Subject:* Re: [DG-IDPro] BoK: Authorization taxonomy
It looks like we would want to have 3 main models:
- ACL (IBAC?) - RBAC - ABAC
And for each model define implementations and approaches. Pros and cons. For instance RBAC suffers from role explosion BUT is very mature and widely adopted. ABAC is probably the future but still in its infancy?
OWASP has already done a lot of work on authorization that we could possibly point to or mirror?
On Mon, Jan 23, 2017 at 11:38 PM, Andrew Hughes < andrewhughes3000@gmail.com> wrote:
Ah - ok - something like scenarios?
Any other feedback from the list on the authentication or authorization taxonomies?
andrew.
*Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting*
o +1 650.209.7542 <+1%20650-209-7542> m +1 250.888.9474 <+1%20250-888-9474> 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security *
On Mon, Jan 23, 2017 at 12:07 PM, Ken Dagg <kendaggtbs@gmail.com> wrote:
By the way, what I mean by implementation is where someone has implemented an authorization model. For example, where someone has a RBAC implementation it would be nice to know what they did and what they learned from the implementation.
Ken
On Mon, Jan 23, 2017 at 2:31 PM Ken Dagg <kendaggtbs@gmail.com> wrote:
The could be one Sub heading in the Implementation Sub-section for each implementation. Subsections in each implementation could be a description of the implementation and lessons learned (positive and negative) from the implementation. I believe that this type of information would be valuable for IdPros to know because it provides real life examples of what has and has not worked.
Ken
On Mon, Jan 23, 2017 at 2:01 PM Andrew Hughes <andrewhughes3000@gmail.com> wrote:
Hmmm... I'm not sure I follow on the 'implementations' idea...
Could you give some example sub-headings?
What kinds of practices should ID Pros know about? What facts/knowledge should they have?
andrew.
*Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting*
o +1 650.209.7542 <(650)%20209-7542> m +1 250.888.9474 <(250)%20888-9474>
1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security *
On Mon, Jan 23, 2017 at 10:58 AM, Ken Dagg <kendaggtbs@gmail.com> wrote:
Andrew,
Great work!
Suggestions:
- Would the Considerations section be better as a sub section under Authorization Models. I believe that each model should have considerations.
- Should there be an Implementations sub-section that identifies where Authorization models have been implemented. This could include lessons learned.
Ken
On Mon, Jan 23, 2017 at 11:58 AM Andrew Hughes <andrewhughes3000@gmail.com> wrote:
Hi folks, here's my imperfect taxonomy for 'areas related to authorization and access control that an ID Pro should know about'.
Please help to put the items in the right spots and correct errors!
- Authorization
·
- Authorization policy evaluation
o
- Proofs of assertion (tokens, tickets, cookies, cryptographic methods)
§
- Bearer methods v proof of possession methods
- Access control policy, authorization policy, - Static evaluation, dynamic evaluation - Is there an ‘authorization equation’ for policy evaluation?
§
- e.g. Given an identified entity and a requested resource, select the correctly-scoped authorization policy, evaluate the policy, grant || deny || require trust elevation for the resource access, log the events
- Relationship to Identification, Authentication, Access Control
o
- The characteristics of each - The 'cross-over' aspects of each (e.g. OAuth-style authentication via proof of resource access - is this related to an ‘authorization equation’ approach?)
- Authorization models, processes, protocols
o
- SAML, OAuth, UMA - Directories, decentralized models - Access control models
§
- RBAC - ABAC
- Trust Elevation (e.g. re-authentication, step-up authentication, claims gathering)
- Considerations for choosing specific models, protocols
o
- Risk - Authorization model matching to credential characteristics, identification method, available authenticators - Centralized v decentralized - Degree of independence of authorization policy decision v access control decision
*Andrew Hughes *CISM CISSP Independent Consultant *In Turn Information Management Consulting*
o +1 650.209.7542 <(650)%20209-7542> m +1 250.888.9474 <(250)%20888-9474> 1249 Palmer Road, Victoria, BC V8P 2H8 AndrewHughes3000@gmail.com ca.linkedin.com/pub/andrew-hughes/a/58/682/ *Identity Management | IT Governance | Information Security *
_______________________________________________
DG-IDPro mailing list
DG-IDPro@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-idpro
--
Kenneth Dagg
Independent Consultant
Identification and Authentication
613-825-2091 <(613)%20825-2091>
kendaggtbs@gmail.com
--
Kenneth Dagg
Independent Consultant
Identification and Authentication
613-825-2091 <(613)%20825-2091>
kendaggtbs@gmail.com
--
Kenneth Dagg Independent Consultant Identification and Authentication 613-825-2091 <(613)%20825-2091> kendaggtbs@gmail.com
_______________________________________________ DG-IDPro mailing list DG-IDPro@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-idpro
--
David Brossard VP of Customer Relations
+1 312 774-9163 <+1%20312-774-9163>
+1 502 922 6538 <+1%20502-922-6538>
+46(0)760 25 85 75 Axiomatics 525 W. Monroe Suite 2310 Chicago 60661
Support: https://support.axiomatics.com Web: http://www.axiomatics.com
Axiomatics Blog <http://www.axiomatics.com/blog/> | Events <http://www.axiomatics.com/events.html> | Resources, Webinars & Whitepapers <http://www.axiomatics.com/resources.html>
Connect with us on LinkedIn <http://www.linkedin.com/companies/536082> | Twitter <http://twitter.com/axiomatics> | Google + <https://plus.google.com/u/1/b/101496487994084529291/> | Facebook <https://www.facebook.com/axiomatics> | YouTube <http://www.youtube.com/user/axiomaticsab>