TL;DR; Policy-based access control (PBAC) and attribute-based access control (ABAC) are exactly the same thing. They enable fine-grained access control or authorization. Lately, customers have been asking me about the difference between externalized authorization, attribute-based access control (ABAC), and policy-based access control (PBAC). These are in fact all different ways of describing roughly the same thing: a better approach to tackling fine-grained authorization challenges in a way that is technology-neutral, i.e. that can be reused for APIs, data, and more. Both ALFA, the abbreviated language for authorization, and XACML are the OASIS standard implementations for ABAC.
This post was originally published on Identiverse’s blog following the 2018 edition of their conference. Background A few weeks ago, I had the pleasure to talk at the European Identity Conference on a topic that is close to my heart: authorization. More specifically, I discussed how the evolving IT landscape requires an even finer grained authorization framework to be able to deliver value to consumers as a whole. In a later session, I took part in a panel entitled “How will Authorization Look in the Future? XACML, OAuth, Proprietary” with Loren Russon (Ping Identity), Pam Dingle (Microsoft) and Eve Maler (ForgeRock). The bulk of the debate centered around standards and in particular the battle XACML vs. OAuth (and to a […]
In a previous blog post, I mentioned that I was working on a conversion script for a client to migrate XACML 1.1 policies to XACML 3.0. There are several ways this could be achieved. Here are the ways I have thought of: Use XSLT to convert from the XACML 1.1 schema to the XACML 3.0 schema. This is possibly a purist’s way of approaching this. However support for XSLT has not always been great and it requires a lot of XML, XPath, and XSLT know-how. Use the Java DOM model to parse XACML 1.1 XML and create XACML 3.0 XML. Use JAXB to generate POJOs (plain old Java objects) that represent XACML 1.1 and XACML 3.0. I chose the latter […]
Definition The XACML standard defines the concept of obligations which are elements which can be returned along with a XACML decision (either of Permit or Deny) in order to enrich that decision. Obligations are triggered on either Permit or Deny. The Policy Enforcement Point must implement and enforce obligations. If it fails to do so, it must deny access to the requested resource (in the case of a Permit). The XACML 3.0 standard defines obligations as follows: An operation specified in a rule, policy or policy set that should be performed by the PEP in conjunction with the enforcement of an authorization decision Where can I use an Obligation? Obligations can be defined in PolicySet, Policy, and Rule elements. This […]
I’ve been recently working on an interesting little project: converting XACML 1.1 policy (sets) to XACML 3.0 policies in order to help migrate a customer from a legacy environment to Axiomatics. In order to proceed with the conversion, I decided to use stock tools available off-the-shelf and custom code as little as possible. Since I write in Java, I chose to go for JAX-B especially since the support for JAXB has become better and better over the years. XJC itself is part of the JDK and it makes generating Java classes from XML schemas a breeze. I’ll talk some more about that in a separate post. In the meantime though, I wanted to share with you an old picture, the […]