# Access control kinds ## Context-Based Access Control (CBAC) Access rights have a **historical context**. * The access rights **cannot be determined without reasoning** about past access operations. * Example: * Stateful packet filter firewall. ### Chinese Wall policy * **Conflict groups.** * Access control policies **need to address past access to objects in different members of conflict groups**. ## Attribute-Based Access Control (ABAC) Access control decisions are made **based on attributes associated with relevant entities**. OASIS XACML architecture. * Policy Administration Point (PAP). * Where **policies are managed**. * Policy Decision Point (PDP). * Where **authorization decisions are evaluated and issued**. * Policy Enforcement Point (PEP). * Where **access requests** to a resource are **intercepted and confronted with PDP’s decisions**. * Policy Information Point (PIP). * Provides **external information to a PDP**. ## XACML ### Access control with PEP and PDP A subject sends a request, which is **intercepted by the Policy Enforcement Point (PEP)**. The **PEP sends the authorization request** to the Policy Decision Point (PDP). The PDP **evaluates the request against its policies** and **reaches a decision**. * Which is returned to the PEP. * Policies are retrieved from a Policy Retrieval Point (PRP). * Useful attributes are fetched from Policy Information Points (PIP). * Policies are managed by the Policy Administration Point (PAP). ### Big picture

## Break-the-glass access control model It may be required to **overcome the established access limitations.** * e.g. in a life-threatening situation. The subject may be presented with a break-the-glass decision upon a denial. * Can overcome the denial of their responsibility. * Logging is fundamental to prevent abuses. * Subject may have to justify action, after using the elevated right.