[Owasp-leaders] NIST Approved: Special Publication (SP) 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations

Carlos Serrao carlos.serrao at owasp.org
Wed Jan 22 10:14:52 UTC 2014


Hi,

this is kind of something that is related to what ABAC promises to deliver and that was/is fairly used on Rights Management Systems (a.k.a. DRM), that are Rights Expression Languages such as MPEG-21 REL (http://en.wikipedia.org/wiki/MPEG-21) and ODRL (http://en.wikipedia.org/wiki/ODRL).

Both are used to implement access control and usage rules over content. I think that they can be extended to support ABAC and go even further.

Best regards,

On 22 Jan 2014, at 06:04, Jim Manico <jim.manico at owasp.org> wrote:

> Good stuff, Chris.
>  
> Most analysts were talking about RBAC as the savior to all security problems in 2009. Props to you for talking about RBAC limits in 09. Nather is on the same team.
>  
> Funny, the NIST docs below claim a good implementation of ABAC is XACML. But I agree with you, XACML is largely dead. OAUTH which is radically easier to implement than XACML is in a lot more widespread use … but it does not address complex enterprise access control needs like XACML was supposed to.
>  
> Interesting “XACML is dead” article here. http://blogs.forrester.com/andras_cser/13-05-07-xacml_is_dead
>  
> So that still leaves a huge space for some kind of enterprise-grade access control standard. Is there anything more beefy than OAUTH looking to replace the promise of XACML?
>  
> Aloha,
> Jim
>  
> From: Chris Schmidt [mailto:chris.schmidt at contrastsecurity.com] 
> Sent: Tuesday, January 21, 2014 4:48 PM
> To: 'Jim Manico'
> Cc: OWASP IDecosystem List; owasp-leaders at lists.owasp.org
> Subject: RE: [Owasp-leaders] NIST Approved: Special Publication (SP) 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations
>  
> Blog posts
>  
> November 2009 – Is Role Based Access Control Dead?
> http://yet-another-dev.blogspot.com/2009/11/is-role-based-access-control-dead.html
>  
> January 2010 – More on Context Based Access Control
> http://yet-another-dev.blogspot.com/2010/01/more-on-context-based-access-control.html
>  
> Oracle also implemented something called “XACML” that was somewhat kind of maybe a little close to what I was proposing – however, it was difficult to understand/use, had complicated XML Schemas, and didn’t solve the whole problem (and was never really actually adopted by anyone that I’m aware of)
> http://www.oasis-open.org/committees/document.php?document_id=33416
>  
>  
> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jim Manico
> Sent: Tuesday, January 21, 2014 5:00 PM
> To: Chris Schmidt
> Cc: OWASP IDecosystem List; owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] NIST Approved: Special Publication (SP) 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations
>  
> Chris,
>  
> Context-Based-Access-Control is already a formal access control methodology for firewall tech. http://en.m.wikipedia.org/wiki/Context-based_access_control
>  
> Also, NIST's ABAC doc describes something done informally for decades. Anyone building large multi-tenant systems has already been forced to go down the ABAC path or similar. What makes me so happy is to see NIST finally addressing the limitations of RBAC in such a public, formal way to the point of helping federal agencies make a business case for ABAC.
>  
> Do you have anything published on your methodology? I would love to see it. 
> 
> Cheers Chris,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> 
> On Jan 21, 2014, at 1:48 PM, Chris Schmidt <chris.schmidt at contrastsecurity.com> wrote:
> 
> I’ll have to read up on this and see how it compares to my idea for Context-Based-Access-Control from a few years ago.
>  
> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Jim Manico
> Sent: Tuesday, January 21, 2014 4:23 PM
> To: Bev Corwin; owasp-leaders at lists.owasp.org; OWASP IDecosystem List
> Subject: Re: [Owasp-leaders] NIST Approved: Special Publication (SP) 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations
>  
> Anything that encourages developers to stray away from modern implementations of Role-Based-Access-Control is fine by me. This is a great step in the right direction from what I have read so far.
>  
> Thanks for passing this along, Bev.
>  
> Aloha,
> Jim
>  
> From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Bev Corwin
> Sent: Tuesday, January 21, 2014 7:51 AM
> To: owasp-leaders at lists.owasp.org; OWASP IDecosystem List
> Subject: [Owasp-leaders] NIST Approved: Special Publication (SP) 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations
>  
> FYI:
>  
> "NIST Special Publication (SP) 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations has been approved as final and is now available on the CSRC / NIST website.
> URL to the SP 800-162 document (PDF):
> http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
> 
> An announcement about this documents released can be found on the CSRC Announcement page:
> http://csrc.nist.gov/news_events/#jan21
> 
> The SP 800-162 listing can be found on the NIST CSRC Special Publications page (for bookmarking purposes):
> http://csrc.nist.gov/publications/PubsSPs.html#800-162  "
> 
>  
> Bev
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

	Carlos Serrão
Chapter Leader @ OWASP at PT

Skype: pontocom73 | google | linkedin | twitter | facebook 		

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140122/53851c6c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2332 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140122/53851c6c/attachment-0001.bin>


More information about the OWASP-Leaders mailing list