OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [xacml] paper on applying role based access control

The paper that I cited is:


curiously it is not referenced at NIST's RBAC page:


However I see that they have something they call a "draft standard" by the
same people at:

http://csrc.nist.gov/rbac/RBAC-std-draft.doc (I wonder if the switch to Word
is significant.)

Although it is described as "new" the paper is dated December 18, 2000. I
have not read this document carefully yet, but clearly builds on the one
cited previously. It is not, however, a standard in the normal sense of the
word. There is a reference model and a set of detailed requirements, but
there are no data formats, protocols or APIs. I see nothing here that could
be tested for conformance. I see no possiblity that 2 vendors could take a
document covering these topics and achieve any sort of inteoperablity or
portability (which is after all the purpose of a standard.)

I think these people are doing useful work to try to concretely specify an
area of access control which up until recently had been very vague and
subject to many interpretations. However, NIST's enthusiasm for RBAC seems
difficult to understand and in spots, intellectually dishonest. 

For example, they feature a widely touted study that claims to quantify the
Administrative Cost savings from RBAC, but the paper was published in 1997
and since then they have changed their definitions of what RBAC is! More
importantly, the "study" is a completely paper calculation that compares
something like simple Groups to managing a large set of users as
individuals. This is absurd. No one does this. As they note, this kind of
technology has been around for over 25 years.

I think the many different features that NIST subsumes under the term RBAC
are quite useful, but constitue only one piece in the Access Control puzzle.
NIST seems to believe that RBAC solves all problems short of World Peace.

As far as best practices, in my opinion, some of their ideas are not even
feasible to implement (in large scale, federated environments) much less
best practices.


> -----Original Message-----
> From: Damodaran, Suresh [mailto:Suresh_Damodaran@stercomm.com]
> Sent: Thursday, October 18, 2001 4:48 PM
> To: 'xacml@lists.oasis-open.org'
> Subject: [xacml] paper on applying role based access control
> Somebody recommended a paper on the topic and 
>  posted a pointer to the list. I looked for it, but couldn't find it.
> I will be grateful if you could post the pointer again.
> If you know of other (good) papers on the topic, it will be great
> if you can post those pointers too.
> I am hoping that these papers will suggest some "best practices"
> that can be applied on our policy model/expression language to ensure
> good "usability."
> Regards,
> -Suresh
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC