[cap-talk] Capabilities and RBAC (was Comprehensive Security Policies ...)
Karp, Alan H
alan.karp at hp.com
Tue Jan 16 19:05:41 CST 2007
RBAC was invented to solve a particular problem with IBAC, namely the
need to reset large numbers of permissions when one person takes over
someone else's job. It does that quite well, but it introduces problems
of its own.
The first problem is one that I call role mismatch, which frequently
happens within an organization. The issue is that roles rarely align
perfectly with the duties assigned to individuals. Say that Alice gets
a promotion, and Bob takes over her old job. It's likely that some of
Bob's old duties move with him into the new job and others don't. That
results in a new definition for the role and means that there is still a
need to update permissions. I believe this to be related to the issue
David Hopwood was describing.
The second problem is role explosion, which is most likely to occur when
crossing organizational boundaries. The issue is that each organization
has its own definition of what the role means. People who have tried to
implement distributed RBAC invariably end up with role explosion,
basically a role for every combination of permissions they find they
need.
The nice thing about capabilities is that they can be combined
dynamically to solve the problem that RBAC was supposed to solve but
doesn't. I don't see a lot of value (other than political) in trying to
build RBAC mechanisms in a capability system. Simply construct a bundle
of capabilities given to whomever is supposed to do a particular job,
and revoke them when that person changes jobs. You can call the
revoking forwarder a role if your customer insists on roles. I believe
that's what people on this list mean, but it's not RBAC in the sense
that the rest of the world understands it.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list