Friday Aug 15, 2008

What's wrong with the ANSI RBAC standard? Part 3 - what happens when you remove an inheritance relationship?

The ANSI standard for RBAC (ANSI 359-2004) includes role hierarchies as an optional feature. The model of role hierarchies defined is simple, easy to understand, and generally good stuff. It does have a few problems, one of which I think should be addressed: When in a role hierarchy an inheritance relation between two roles is removed, the specification doesn't say what should happen. It should. There are two possible behaviors in theory. In a world where workflow, approval, and attestation are important - our world - there is really only one good behavior.

[Read More]

Friday Aug 08, 2008

What's wrong with the ANSI RBAC standard? Part 2 - Role-Role SOD is just too simple to work

The ANSI INCITS 359-2004 specification (get your copy for a few dollars here) spends a good number of pages talking about something very near and dear to me: Separation of Duties (SOD). The specification describes “constrained” RBAC generally and then outlines two types of constraints – static SOD and dynamic SOD. I am very glad that SOD made its way into the ANSI specification. I am also glad that the specification allows SOD rules that consist of role sets and not just role pairs – nice work guys. I’m not so happy about restricting SOD policies to sets of roles. In the “real” world, I have found that this approach is highly problematic. My view is that SOD policies should allow Role-Role, Permission-Permission and possibly even Role-Permission sets within SOD policies. A simplified scenario should illustrate the point. [Read More]

Friday Aug 01, 2008

What's wrong with the ANSI RBAC standard? Part 1 - Sessions should be optional

I must first say that the ANSI 359-2004 RBAC standard* is absolutely critical. While RBAC has been around for about two decades, ANSI and its predecessors only (relatively) recently gave us a shared language and got us talking about roles and role management. Some of that talk is about how flawed the rather academic ANSI standard is when applied to real-world identity management, but at least we're all talking! I could spend time talking about what's right about the current standard. Perhaps I will some day soon. For now, however, to fulfill my promise of at least one post per week, here is the first item in a fairly long list of gripes about the standard. Remember, we only complain about those we love! Issue 1: Sessions and Role Activation don't belong in core RBAC[Read More]
About

Articles and thoughts, many far too long, relating to Identity Management.

Search

Top Tags
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today