[OWASP-ESAPI] (no subject)

[Jim Manico]

My mistake. RBAC is alive and well.

What I was trying to say was:

if (user.isInRole("MANAGER")) 
    ...is dead, and is something that I consider to be an anti-pattern.

if (user.isAuthorized(<current activity>, <current object>))
    .... is a better way to implement access control controls in code, IMO.

The issue of how to correctly apply access control programatically (activity based) can relate to RBAC, ABAC and CBAC. 

If you know of any solid whitepaper on this topic, please point me in that direction.

- Jim
    From: Marcin Wielgoszewski 
    To: jim at manico.net 
    Sent: Tuesday, November 03, 2009 4:16 AM
    Subject: RBAC is dead


      RBAC - Role Based Access Control is dead. RBAC implies that you are basing access control decisions, primarily, on user role verification. This is not a maintainable way to build an access control mechanism.

      The near future, I think, is Data Contextual ABAC - Activity Based Access Control. 


      ABAC makes access control decisions based on users specific activities. The biggest "in the code" win is that you no longer hard code role checks in your controller code. Writing "if (user.hasRole("MANAGER"))" throughout your code is basically a huge antipattern, in my mind. 


    I fail to see the difference between *activity* and *role* based access controls, it's all the same these days!  ABAC is nothing new, and the concept dates back to at least 2000...  RBAC isn't dead. ;)

    -Marcin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20091103/954ca026/attachment.html