Resource Based Access Control vs Role Based Access Control

后端 未结 1 1674
轻奢々
轻奢々 2021-02-07 22:25

I am learning Apache Shiro, and I found this article:

The New RBAC: Resource-Based Access Control

And the author said:

.......you could as

1条回答
  •  梦谈多话
    2021-02-07 23:10

    This is the first time I hear of resource-based access control.

    I would be extremely careful in going down this path. In the world of authorization there are essentially 2 standards:

    • Role-based access control (RBAC) as standardized by NIST and implemented in thousands of apps and frameworks with support from the main vendors (CA, Oracle, IBM...)
    • Attribute-based access control (ABAC) as being standardized by NIST (also here) and equally well implemented by vendors such as IBM, Oracle, and Axiomatics which is where I work.

    Resource-based access control seems to be a model invented by Stormpath and supported by them only. It may be good but it will only work with their environment.

    Role-based and Attribute-based access control are well accepted paradigms supported by NIST and other standardization bodies such as OASIS (where SAML and XACML were defined 10 years ago and are still supported today).

    The question to you is: why is role-based access control not enough for you? Do you have a role explosion issue? Is it not expressive enough? Do you need to implement relationships between users, resources, and context?

    ABAC and XACML can let you do that. I posted a simple video a while back on YouTube that deals with attribute-based access control. Have a look.

    The bottom line is that RBAC and ABAC are standards that work across multiple applications and layers. Resource-based access control is specific to Apache Shiro only.

    0 讨论(0)
提交回复
热议问题