Identification, Authentication and Authorization

Access control kinds

Context-Based Access Control (CBAC)

Access rights have a historical context.

  • The access rights cannot be determined without reasoning about past access operations.

  • Example:

    • Stateful packet filter firewall.

Chinese Wall policy

  • Conflict groups.

  • Access control policies need to address past access to objects in different members of conflict groups.

Attribute-Based Access Control (ABAC)

Access control decisions are made based on attributes associated with relevant entities.

OASIS XACML architecture.

  • Policy Administration Point (PAP).

    • Where policies are managed.

  • Policy Decision Point (PDP).

    • Where authorization decisions are evaluated and issued.

  • Policy Enforcement Point (PEP).

    • Where access requests to a resource are intercepted and confronted with PDP’s decisions.

  • Policy Information Point (PIP).

    • Provides external information to a PDP.

XACML

Access control with PEP and PDP

A subject sends a request, which is intercepted by the Policy Enforcement Point (PEP).

The PEP sends the authorization request to the Policy Decision Point (PDP).

The PDP evaluates the request against its policies and reaches a decision.

  • Which is returned to the PEP.

  • Policies are retrieved from a Policy Retrieval Point (PRP).

  • Useful attributes are fetched from Policy Information Points (PIP).

  • Policies are managed by the Policy Administration Point (PAP).

Big picture

Break-the-glass access control model

It may be required to overcome the established access limitations.

  • e.g. in a life-threatening situation.

The subject may be presented with a break-the-glass decision upon a denial.

  • Can overcome the denial of their responsibility.

  • Logging is fundamental to prevent abuses.

    • Subject may have to justify action, after using the elevated right.

PreviousAccess control kindsNextSeparation of duties

Last updated