XACML as an evolution step in an existing application

StackOverflow https://stackoverflow.com/questions/1625726

Question

I've begun doing some research on XACML and external authorization. Right now I have an existing application which utilizies an RBAC model. However the implementation has a lot of shortcomings (roles can't be easily defined, roles are too coarsly grained).

Is XACML a good alternative to look at? Are there any exisitng applications which have switched to XACML from an RBAC origin? Are there any shortcomings?

Was it helpful?

Solution

Disclaimer: I'm a developer for IBM, and I work on our product that uses XACML extensively (Tivoli Security Policy Manager). I'm a little biased towards XACML.

I think XACML is a great alternative, mainly because it can support almost any security model. I'd suggest modelling your existing RBAC solution in XACML (see the profile), then extending it to include finer-grained access control where your business requirements demand it.

Externalizing your authorization code into policy has the added advantage of being able to modify your application's security model without recompiling it.

Are there any exisitng applications which have switched to XACML from an RBAC origin?

Unfortunately I'm not aware of any particular examples, at least ones that I can talk about publicly. There is an internal IBM project that allocated a month for implementing their authorization module, but got it done in a week by externalizing it using our XACML implementation. This is obviously different to your example as it was a "green fields" development project, but highlights that there are benefits to be had with the general approach you're considering.

OTHER TIPS

I am the security architect at WSO2 - which develops WSO2 Identity Server, an open source Identity and Entitlement management server, with XACML suport.

I too believe XACML is a good alternative to externalize authorization logic from the application code. We recently worked with few customers [one of them is among Fortune 100] - moving to XACML from different proprietary authorization rules.

I agree with my counterparts from IBM and WS02 respectively. I work for Axiomatics. We focus exclusively on authorization based on XACML.

We have customers who moved from RBAC to ABAC. Some decided to use the RBAC profile for XACML as a middle step (http://docs.oasis-open.org/xacml/3.0/xacml-3.0-rbac-v1-spec-cd-03-en.html). What's interesting is that you can use your existing RBAC infrastructure to build ABAC on top.

We haven't seen any shortcomings as yet. If anything, customers quickly see the ROI with XACML: it's cheaper and more flexible. You can use multiple implementations (you could mix IBM, WS02, and Axiomatics together and it would still work) and there is strong support from the industry.

Check out the XACML TC page for more info: http://www.oasis-open.org/committees/xacml/

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top