[cap-talk] Architectural Choices for Security -movingforward-How to migrate SOA from IBAC to ABAC
Mark Miller
erights at gmail.com
Wed Nov 14 13:37:19 EST 2007
On Nov 14, 2007 10:23 AM, Karp, Alan H <alan.karp at hp.com> wrote:
> I agree with everything you say, but I still think we need a more
> general term. As I'm talking about IBAC, I can just see them thinking
> "What's wrong with this guy? Hasn't he ever heard of RBAC?"
I've lately been happy using "identity-centric" vs
"authorization-centric". I then explain that ACLs, RBAC, PBAC, and MLS
are all identity-centric. Capabilities, Polaris, SPKI, and BitFrost
are authorization-centric.
By introducing the *-centric adjective, we get to coin categories that
include several *-based categories. People like categorization schemes
where the different levels of the tree are distinct: Genus, Phyla,
Species, ....
Also, the "centric" adjective avoid arguments about whether
identity-based controls are possible on an authorization-centric base,
or vice versa. In both cases, they are, but it's not central to those
respective systems.
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the cap-talk
mailing list