OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] US NIST 1800-3 ABAC

Steven-- exactly right. I call ABAC with externalization "PBAC" just to make that distinction. Others say "fine grained" vs "coarse grained" though that is more directly related to whether there is resource attribute tagging  at the data object level. Still the two things--object-level resource tagging and externalization of access logic--tend to be related because they are both heavy lifts relative to implementing access control at the whole-resource level with a few simple rules.  Once an organization commits to fine grained access control, they commit to object level tagging. At that point, since more access logic will be needed to exploit object-level tagging, it makes sense to centralize (externalize) it in a pdp.

Martin



Sent from my iPad

> On Oct 4, 2015, at 10:34 PM, Steven Legg <steven.legg@viewds.com> wrote:
> 
> 
> Hi John,
> 
>> On 3/10/2015 6:21 AM, John Tolbert wrote:
>> Hello,
>> 
>> NIST is releasing a practice guide for ABAC.  It features XACML prominently.  The call for comments is open until Dec. 4, 2015.  Perhaps we should discuss on our next call and determine if we have any collective comments for them.
>> 
>> https://nccoe.nist.gov/projects/building_blocks/attribute_based_access_control
> 
> I notice that SP 1800-3b treats ABAC and externalized authorization as synonymous
> (see 3.2 and 5.4.5). XACML is about both, but it isn't necessarily so in general.
> One can implement ABAC without externalized authorization and one can implement
> externalized authorization without using ABAC.
> 
> Some of the claimed benefits of ABAC over RBAC are actually benefits of externalized
> authorization over internal, per-application authorization.
> 
> Regards,
> Steven
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]