Resource Based Access Control vs Role Based Access Control

authentication access-control rbac
10,960

This is the first time I hear of resource-based access control.

I would be extremely careful in going down this path. In the world of authorization there are essentially 2 standards:

  • Role-based access control (RBAC) as standardized by NIST and implemented in thousands of apps and frameworks with support from the main vendors (CA, Oracle, IBM...)
  • Attribute-based access control (ABAC) as being standardized by NIST (also here) and equally well implemented by vendors such as IBM, Oracle, and Axiomatics which is where I work.

Resource-based access control seems to be a model invented by Stormpath and supported by them only. It may be good but it will only work with their environment.

Role-based and Attribute-based access control are well accepted paradigms supported by NIST and other standardization bodies such as OASIS (where SAML and XACML were defined 10 years ago and are still supported today).

The question to you is: why is role-based access control not enough for you? Do you have a role explosion issue? Is it not expressive enough? Do you need to implement relationships between users, resources, and context?

ABAC and XACML can let you do that. I posted a simple video a while back on YouTube that deals with attribute-based access control. Have a look.

The bottom line is that RBAC and ABAC are standards that work across multiple applications and layers. Resource-based access control is specific to Apache Shiro only.

Share:
10,960

Related videos on Youtube

hguser
Author by

hguser

Updated on June 04, 2022

Comments

  • hguser
    hguser almost 2 years

    I am learning Apache Shiro, and I found this article:

    The New RBAC: Resource-Based Access Control

    And the author said:

    .......you could assign behaviors (permissions) directly to a Role if you want. In this sense, you would still have a Role-Based Access Control security policy - it is just you would have an explicit RBAC policy instead of the traditional implicit strategy.

    But that begs the question - why stop at roles? You can assign behaviors directly to users, or to groups, or to anything else your security policy might allow.

    It seems that the author prefer to store the relationship of User and Permission directly instead of through a Role.

    Though it seems this is simple and straightforward, I have some questions:

    1. Are there any essential differences between two of them?

    2. The Database schema.

    In a Role Based Access Control, normally we use three tables to describe the relationship:

    user
role
user_role

    No if I use the Resource Based Access Control, what is the normal practice for building the tables?

  • Josh C.
    Josh C. over 9 years
    how does this work when parameters are evolved in the route? We may not now if the have access to the resource until we process the request, right?
  • Josh C.
    Josh C. over 9 years
    What is considered best practice in this case?
  • SO User
    SO User about 9 years
    @DavidBrossard, can u pls advice how to get a trial version of Axiomatic APS for XACML? The link suggested by you (axiomatics.com/get-aps-express-edition-now.html) didn't give me any confirmation email. Thx.
  • David Brossard
    David Brossard about 9 years
    Please email [email protected] and they should be able to help you

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

istio getting "RBAC: access denied" even the servicerolebinding checked to be allowed
su: cannot open session: Permission denied
Best Role-Based Access Control (RBAC) database model
flutter_web_auth doesn't redirect from WebView to the app after authorizing the access to my data in Flutter
Staying logged in when updating code on flutter web
Flutter keeps throwing an error, while defining CognitoSignUpOptions
Flutter 2.8.0 will not deploy and run project on iOS simulator (was working on 2.5.3)
Tried to change the background color and text color in Flutter toast. But its not working properly
How to add an if else condition for login?
Flutter Int_phone_field how to align text field to the country code selector