[cap-talk] Architectural Choices: How to migrate from IBAC to ABAC

Karp, Alan H alan.karp at hp.com
Thu Nov 15 20:53:02 EST 2007 

Jed wrote:
> 
> How would one authenticate a role?  Aren't roles
> usually properties associated with users/identities?
> 
In RBAC, users are assigned to roles, and permissions are associated
with roles.  There are a number of ways to allow a user to take on a
role.  In SOA, a SAML certificate designating a specific role is issued
to a particular public key.  A user who knows the corresponding private
key is granted the rights of that role.  Although the user's identity in
the form of an X.509 cert usually appears in the Subject field of the
SAML certificate, only the role is used in making the access decision. 

> Sorry, I don't know what an "attribute" is in the
> above context or how one would be authenticated
> independent of a user/id.  I'll leave it to you
> whether that's worth clarifying.
> 
Policy-Based Access Control, ala Keynote, is based on a user proving
possesion of certain properties.  For example, "HP Employee" and "US
Citizen".  HP may issue a SAML certificate for the first and the
government for the latter.  A policy engine uses those attributes to
compute an access decision for each request.  As with roles, the
attributes are associated with a Subject, but only the attributes
contribute to the decision.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp
  
  

> -----Original Message-----
> From: cap-talk-bounces at mail.eros-os.org 
> [mailto:cap-talk-bounces at mail.eros-os.org] On Behalf Of Jed Donnelley
> Sent: Thursday, November 15, 2007 4:05 PM
> To: General discussions concerning capability systems.
> Subject: Re: [cap-talk] Architectural Choices: How to migrate 
> from IBAC to ABAC
> 
> On 11/15/2007 1:45 PM, Karp, Alan H wrote:
> > Jed wrote:
> >> Right.  It "authenticates" the capability, nothing to
> >> do with the requester.  Is the term "authentication"
> >> so intrinsically tied up in the IT terminology with
> >> authenticating an identity (user) that people know
> >> to apply it in no other context? 
> > 
> > In my experience it is,
> 
> OK, thanks.  I'll stick with that.
> 
> > with the proviso that we include authentication
> > of role and attributes.
> 
> How would one authenticate a role?  Aren't roles
> usually properties associated with users/identities?
> 
> Sorry, I don't know what an "attribute" is in the
> above context or how one would be authenticated
> independent of a user/id.  I'll leave it to you
> whether that's worth clarifying.
> 
> --Jed  http://www.webstart.com/jed/
> 
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>

More information about the cap-talk mailing list