Friday Aug 15, 2008
The ANSI standard for RBAC (ANSI 359-2004) includes role hierarchies as an optional feature. The model of role hierarchies defined is simple, easy to understand, and generally good stuff. It does have a few problems, one of which I think should be addressed: When in a role hierarchy an inheritance relation between two roles is removed, the specification doesn't say what should happen. It should. There are two possible behaviors in theory. In a world where workflow, approval, and attestation are important - our world - there is really only one good behavior. [Read More]
Friday Aug 08, 2008
By jeff.shukis on Aug 08, 2008
The ANSI INCITS 359-2004 specification (get your copy for a few dollars here) spends a good number of pages talking about something very near and dear to me: Separation of Duties (SOD). The specification describes “constrained” RBAC generally and then outlines two types of constraints – static SOD and dynamic SOD. I am very glad that SOD made its way into the ANSI specification. I am also glad that the specification allows SOD rules that consist of role sets and not just role pairs – nice work guys. I’m not so happy about restricting SOD policies to sets of roles. In the “real” world, I have found that this approach is highly problematic. My view is that SOD policies should allow Role-Role, Permission-Permission and possibly even Role-Permission sets within SOD policies. A simplified scenario should illustrate the point. [Read More]
Friday Aug 01, 2008
By jeff.shukis on Aug 01, 2008
I must first say that the ANSI 359-2004 RBAC standard* is absolutely critical. While RBAC has been around for about two decades, ANSI and its predecessors only (relatively) recently gave us a shared language and got us talking about roles and role management. Some of that talk is about how flawed the rather academic ANSI standard is when applied to real-world identity management, but at least we're all talking! I could spend time talking about what's right about the current standard. Perhaps I will some day soon. For now, however, to fulfill my promise of at least one post per week, here is the first item in a fairly long list of gripes about the standard. Remember, we only complain about those we love! Issue 1: Sessions and Role Activation don't belong in core RBAC[Read More]
Articles and thoughts, many far too long, relating to Identity Management.
- Ongoing Discussion: A provisioning-centric view of how enterprise applications do security
- What's wrong with the ANSI RBAC standard? Part 3 - what happens when you remove an inheritance relationship?
- What's wrong with the ANSI RBAC standard? Part 2 - Role-Role SOD is just too simple to work
- What's wrong with the ANSI RBAC standard? Part 1 - Sessions should be optional
- Welcome to IdentityThink