Revision as of 15:26, 18 October 2016 edit 67.173.6.201 (talk) →Application Security ← Previous edit		Revision as of 15:30, 18 October 2016 edit undo 67.173.6.201 (talk) →Other models Next edit →
Line 6: Attributes-Based Access Control is sometimes referred to as Policy Based Access Control (PBAC) or Claims Based Access Control (CBAC),<ref>[http://genericiam.blogspot.co.uk/2015/10/rbac-first-abac-next-or-what.html RBAC first – ABAC next, or what?, 2015, Horst Walther, ''GenericIAM Blog'']. Retrieved on 2016-08-30.</ref> which is a Microsoft specific term. <ref>[http://www.hpl.hp.com/techreports/2009/HPL-2009-30.pdf Karp, Alan, Harry Haury, and Michael Davis. "From ABAC to ZBAC: the evolution of access control models." ''International Conference on Information Warfare and Security''. Academic Conferences International Limited, 2010]. Retrieved on 2016-08-30.</ref> ==Components== ===Architecture=== ===Attributes=== Attributes can be about anything and anyone. They tend to fall into 4 different categories or functions (as in grammatical function) # Subject attributes: attributes that describe the user attempting the access e.g. age, clearance, department, role, job title... # Action attributes: attributes that describe the action being attempted e.g. read, delete, view, approve... # Resource (or object) attributes: attributes that describe the object being accessed e.g. the object type (medical record, bank account...), the department, the classification or sensitivity, the ___location... # Contextual (environment) attributes: attributes that deal with time, ___location or dynamic aspects of the access control scenario<ref>http://stackoverflow.com/questions/36705901/alternatives-for-roles-claims-access-control-systems</ref> ===Policies=== Policies are statements that bring together attributes to express what can happen and is not allowed. Policies in ABAC can be granting or denying policies. Policies can also be local or global and can be written in a way that they override other policies. Examples include: # A user can view a document if the document is in the same department as the user # A user can edit a document if they are the owner and if the document is in draft mode # Deny access before 9am With ABAC you can have as many policies as you like that cater to many different scenarios and technologies.<ref>http://stackoverflow.com/questions/36705901/alternatives-for-roles-claims-access-control-systems</ref> ==Other models==

Attribute-based access control: Difference between revisions