Attribute-Based Access Control (ABAC)
Présentation 1
Evaluates a set of rules and policies to manage access rights according to specific attributes, such as environmental, system, object, or user information. It applies boolean logic to grant or deny access to users based on a complex evaluation of atomic or set-valued attributes and the relationship between them.
In practical terms, this allows you to write rules in eXtensible Access Control Markup Language (XACML), using key-value pairs like Role=Manager and Category=Financial.
Présentation 2
Access management systems were access is granted not on the rights of a user after authentication but based on attributes.
The end user has to prove so-called claims about their attributes to the access control engine.
An attribute-based access control policy specifies which claims need to be satisfied to grant access to the resource.
For example, the claim may be the user's age is older than 18 and any user who can prove this claim will be granted access.
In ABAC, it's not always necessary to authenticate or identify the user, just that they have the attribute.
Présentation 3
Consider this example - A person who belongs to the R&D department, working on the secret project of Genetic Mutation and having the role of super senior specialist and above must only be able to access the website "GeneticResearch.com" only from office premises and from timings 0900 hours to 1700 hours.
Well, this sounds quite simple to implement, isn't it? If you configure this through the Rule Based Access Control, it would become quite complex.
To solve such complex access issues, we have the Attribute Based Access Control Model (ABAC). It is an advanced implementation of RBAC model. Attributes can be almost any characteristic of users, the network, and devices on the network. It is this attribute which is exploited and used to implement the ABAC model.
How would ABAC solve the above problem? Well, you just need to enter the attributes of the person and then configure the rule. The attributes which can be extracted from the problem are R&D, Genetic Mutation, Super Senior Specialist, Office Network & Timings. If a person has these attributes which can be added or removed at any point in time, he can access the website and the firewall will not block it. From an RBAC perspective, every attribute would have to be checked with a rule, which would have consumed a lot of resources when access decisions need to be taken in a jiffy. A user will not wait for an hour to know whether he can access or cannot access a website. The system must evaluate the request basis the rules/attributes and provide an answer immediately.
Hence, in a nutshell, the Rule-based access control applies to all users, but the ABAC can be much more specific.
From an exam perspective, these models are extremely important. As a security professional, you must have clarity on these models to help guide organizations as to which combination of these IAM models would support their work culture best.
Backlinks