Geek Answers Handbook

XACML as an evolutionary step in an existing application

I started doing some research on XACML and external authorization. Now I have an existing application that uses the RBAC model. However, the implementation has many drawbacks (roles cannot be easily defined, roles are too rude).

Is XACML a good alternative? Are there any exisitng applications that switched to XACML from RBAC source? Are there any disadvantages?

+6
architecture authorization xacml
source share
3 answers

Disclaimer: I am a developer for IBM, and I am working on our product that makes extensive use of XACML (Tivoli Security Policy Manager). I am a bit prone to XACML.

I think XACML is a great alternative, mainly because it can support almost any security model. I would suggest simulating an existing RBAC solution in XACML (see profile ), and then expand it to include finer access control where your business requirements ask for it.

The appearance of your authorization code in the policy has the additional advantage of being able to change the security model of the application without recompiling.

Are there any exisitng applications that have switched to XACML from an RBAC source?

Unfortunately, I do not know any specific examples, at least those that I can speak about publicly. There is an internal IBM project that allocated a month to implement its authorization module, but received it a week later, implementing it using our XACML implementation. This obviously differs from your example, as it was a green field development project, but emphasizes that there are advantages that the general approach you are considering may have.

+6
source share

I am a security architect on WSO2 who is developing the WSO2 Identity Server, an open source XACML-enabled identity and rights management server.

I also think that XACML is a good alternative to externalizing authorization logic from application code. We recently worked with several clients [one of them is among the Fortune 100] - the transition to XACML from different authorization rules.

+2
source share

I agree with my colleagues from IBM and WS02 respectively. I am working on an axiom. We focus exclusively on authorization based on XACML.

We have clients who have moved from RBAC to ABAC. Some have decided to use the RBAC profile for XACML as a middle step (http://docs.oasis-open.org/xacml/3.0/xacml-3.0-rbac-v1-spec-cd-03-en.html). Interestingly, you can use your existing RBAC infrastructure to build ABAC from above.

We have not yet seen the flaws. In any case, customers quickly see ROI with XACML: it is cheaper and more flexible. You can use several implementations (you could combine IBM, WS02 and Axiomatics together, and they will work anyway), and there is strong industry support.

Visit the TC XACML page for more information: http://www.oasis-open.org/committees/xacml/

0
source share

More articles:


All Articles