[cap-talk] Architectural Choices for Security: terminology
Karp, Alan H
alan.karp at hp.com
Sat Nov 17 23:56:59 EST 2007
Bill Frantz wrote:
>
> Well, RBAC is identity centeric because first you identify
> the user and
> then determine which role(s) s/he can take on. BTSOOM what PBAC is?
>
Then capabilities are identity centric because first you identify the
users, then you decide which capabilities they get. That's clearly
wrong.
The key distinction is when the identity is used. In IBAC, it's used at
request time. In RBAC, it's used at role assignment time, but not at
request time. In PBAC, the user's identity is used to know what
attributes to assign to the user. These attributes are used by a policy
engine to make the access decision. All three of these are based on
authentication - of identity, role, or attributes - because the
authenticated information is used to look up ambient authorities.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list