ABAC Archives - Harvesting web technologies

The year of authorization: lessons learned from Identiverse 2023

Originally published on IDPro. For the first time ever, Identiverse headed to Vegas for its annual conference. It was a hit, as always, and judging by the agenda, some of the hot topics were passwordless authentication, AI, and last but definitely not least, authorization. My eyes were gleaming! We’re making authorization great again! Much Ado about Authorization I was delighted to see so much activity around authorization, both in the standards track, the vendor track, and the keynotes. On the floor, we had a slew of newer vendor booths tackling the authorization challenge, from Aserto to Indykite. All sources of inspiration. There was no shortage of authorization-related talks either: As You Like It One of the main challenges with ‘authorization’ […]

colorful busts placed in store - Attribute-based access control

Identity and Access Management

Why does attribute-based access control matter?

Attribute-based access control is a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes.

XACML Reference Library

What is a XACML condition?

It’s that time of the week when the creative juices go south and the urge to relax hits all-time records. And I know you are all craving for some XACML goodness before you head out for the weekend. After all, just a spoonful of XACML makes the… Uh who am I kidding? Let’s get on with this new episode of TGIF XACML. Today, let’s focus on a XACML condition. Definition A condition is an element of the XACML policy language. Unlike targets, it can only occur in rules. The condition is used to further define the scope of XACML rules. The scope defines when the rule will trigger. Both the target and the condition therefore help define the scope of […]

Identity and Access Management

Coarse-grained vs. fine-grained access control – part I

A few weeks ago, Baljinder Wadhwa, a consultant at HP, started an interesting thread on coarse-grained vs. fine-grained access control trying to figure out what the differences were between the two. His question generated a high level of great answers that went in different directions. This post aims at summarizing those answers, bringing in my own view, and producing a structured answer to Baljinder’s question. Here goes… Vocabulary definition Coarse: (1) composed of relatively large parts or particles <coarse sand> (2) : loose or rough in texture <coarse cloth> Fine: (1) very thin in gauge or texture (2) : not coarse <fine sand> (3) : very small (4) : keen <a knife with a fine edge> (5) : very precise […]

XACML Bites

XACML 101 – A quick intro to Attribute-based Access Control with XACML

Acronym XACML: eXtensible Access Control Markup Language. Highlights XACML: What’s ABAC? ABAC stands for attribute-based access control. It is a natural evolution from role-based access control which itself is a natural evolution from access control lists. Access Control History in a Nutshell Once upon a time, there were access control lists. Once a user authenticated, its identity was known and could be used in such lists. Think of clubs and VIP lists. If you appear on a VIP list, the bouncer (enforcer) will let you in. It doesn’t matter what your role in life is… Then someone realized that the right to do something (authorizations, entitlements…) should rather be linked to a role. Bus drivers can drive public transport buses. […]