[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] paper on applying role based access control
The paper that I cited is: http://www.list.gmu.edu/confrnc/rbac/pdf_ver/rbac-nist.pdf curiously it is not referenced at NIST's RBAC page: http://csrc.nist.gov/rbac/ However I see that they have something they call a "draft standard" by the same people at: http://csrc.nist.gov/rbac/RBAC-std-draft.doc (I wonder if the switch to Word is significant.) Although it is described as "new" the paper is dated December 18, 2000. I have not read this document carefully yet, but clearly builds on the one cited previously. It is not, however, a standard in the normal sense of the word. There is a reference model and a set of detailed requirements, but there are no data formats, protocols or APIs. I see nothing here that could be tested for conformance. I see no possiblity that 2 vendors could take a document covering these topics and achieve any sort of inteoperablity or portability (which is after all the purpose of a standard.) I think these people are doing useful work to try to concretely specify an area of access control which up until recently had been very vague and subject to many interpretations. However, NIST's enthusiasm for RBAC seems difficult to understand and in spots, intellectually dishonest. For example, they feature a widely touted study that claims to quantify the Administrative Cost savings from RBAC, but the paper was published in 1997 and since then they have changed their definitions of what RBAC is! More importantly, the "study" is a completely paper calculation that compares something like simple Groups to managing a large set of users as individuals. This is absurd. No one does this. As they note, this kind of technology has been around for over 25 years. I think the many different features that NIST subsumes under the term RBAC are quite useful, but constitue only one piece in the Access Control puzzle. NIST seems to believe that RBAC solves all problems short of World Peace. As far as best practices, in my opinion, some of their ideas are not even feasible to implement (in large scale, federated environments) much less best practices. Hal > -----Original Message----- > From: Damodaran, Suresh [mailto:Suresh_Damodaran@stercomm.com] > Sent: Thursday, October 18, 2001 4:48 PM > To: 'xacml@lists.oasis-open.org' > Subject: [xacml] paper on applying role based access control > > > > Somebody recommended a paper on the topic and > posted a pointer to the list. I looked for it, but couldn't find it. > I will be grateful if you could post the pointer again. > If you know of other (good) papers on the topic, it will be great > if you can post those pointers too. > I am hoping that these papers will suggest some "best practices" > that can be applied on our policy model/expression language to ensure > good "usability." > > Regards, > -Suresh > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC