Evaluation of the debate(suitability of RBAC)
Given the overall scenario and context in which the RBAC security model is expected to work, I remain neutral as a standalone implementation of RBAC is not adequate enough to meet the requirements. RBAC in of itself has limitations especially when it comes on to SOA – Service-oriented architecture. This point was supported by a post made by Koot(2008) in which he stated that RBAC required that all users are mapped to a role and if the user is unknown, they are given a default account. However, once the user was outside the domain, that proved to be an issue even if the user is assigned a role, coming from an internet channel, the disregarded all as unknown.
Figure 1.0 illustrates the functionality of RBAC(CA Technologies, 2014)
RBAC is not able to function via the concept of context, one is not able to configure restriction based on context, namely; the channel used(domain, the internet, VLAN, VPN), time of day(only within business hours), subject skills and other contextual policies. Within an enterprise company or even a company such as my present employment, it needs flexibility in this regard as we have subjects that do not have an office desk, but are constantly roaming, working internationally, well as regionally and need access to real-time data from HQ.
Content-awareness is very important, thus RBAC is not able to fully control the accessibility within the said environment, however enhancing RBAC with XACML a traditional access control model, will address said concern. Essentially, XACML is an attribute access control system where attributes associated with a user, action or resource inputs into the decision of whether a given subject might access an object in a particular manner or through a particular medium.
Figure 1.1 Runtime Administration of an RBAC Profile for XACML(Xu et al., 2011)
With the continued advancement of technology especially in the realm of mobile development and the cloud, it has become increasingly complex to securely provide these services. Companies and or organizations not only want to create policies surrounding subject roles or groups but extended to include device types, location, time constraints or the medium in which an object is accessed.
More about XACML
Kim(2009) examines the same in an article, where he stated: “XACML is an OASIS standard that describes both a policy language implemented in XML and an access control decision request/response language implemented in XML.”
The Advantages of XACML
- It’s standard – interoperable with other applications using said language. It can also be implemented on RBAC
- It’s generic – it can be used in any environment, once the policies are configured, it can be used across multiple environments and applications, which in essence makes management/maintenance of said policy much simpler and central
- It’s distributed – it can combine sub-policies that are managed by different groups or departments with an organization.
- It’s powerful – supports a wide variety of data types, rules, and functions.
Figure 1.2 XACML Architecture & Flow(Wikipedia, n.d)
Furthermore, XACML is able to handle anything from simple rules (“access only allowed during normal office hours”) to quite a complex situation in which we demand “risk awareness”.
In conclusion, it is clear that XACML integrated on top of RBAC can provide the infrastructure both Alice and Bob were discussing.
CA Technologies (2014) Access Governance and RBAC, Available at: https://docops.ca.com/ca-identity-governance/12-6-02-cr1/EN/getting-started/access-governance-and-rbac (Accessed: Aug 21, 2016).
Kim, Y. (2009) Access Control Service Oriented Architecture Security, Available at: http://www.cse.wustl.edu/~jain/cse571-09/ftp/soa/#sec3.4 (Accessed: Aug 21, 2016).
Koot, A. (2008) RBAC limitations in SOA, Available at: http://id-use.blogspot.com/2008/09/rbac-limitations-in-soa.html (Accessed: Aug 21, 2016).
Wikipedia (n.d) XACML Architecture & Flow, Available at: https://en.wikipedia.org/wiki/File:XACML_Architecture_%26_Flow.png (Accessed: Aug 21, 2016).
Xu, M., Wijesekera, D. and Zhang, X., 2011. Runtime Administration of an RBAC Profile for XACML. IEEE Transactions on Services Computing, 4(4), pp.286-299.