问题
How does an access control mechanism (e.g., RBAC or ABAC) protect resources? I know how access control mechanisms such as RBAC, ABAC and so on work. In other words, I know how the access control engine evaluates requests and makes decisions (permit, deny, etc.). But, I do not know how they protect the resources.
I mean, how does, for example, ABAC enforce a Deny decision?
- Are the resources encrypted?
- Or are they stored in a secure database?
回答1:
RBAC and ABAC work in different ways to achieve similar goals: access control.
Both of their rationales are the same: to simplify authorization management. RBAC, though, happens mainly at administrative time where you assign users roles and permissions. You then let the target application enforce the authorizations based on the roles and permissions a user has. OAuth2 and scopes take on a similar approach. This leads to coupled authorization since it is up to the app to enforce the authorization. You will get code like if UserInRole(r) then...
RBAC also requires role engineering and can achieve some level of static segregation-of-duty (for instance a purchaser cannot be an approver at the same time).
In ABAC, you clearly decouple the application from the authorization logic. All the app does is call a Policy Decision Point that returns either a Permit or a Deny (according to the xacml standard).
The architecture is as follows (along with flow):
The PEP or Policy Enforcement Point is typically an interceptor or agent sitting in front of or inside the application you wish to protect. It can be an API gateway such as Mulesoft or a Servlet Filter. They are extremely easy to write usually. Axiomatics (which is where I work) provides a couple of SDKs to help you do that seamlessly.
回答2:
In addition to the @DavidBrossard's wonderful explanation for RBAC and ABAC on protecting the resource, i would like to emphasize that these two mechanisms are specifically for the access controls i.e. how the decision is done on accessing the resource by the requestor but it doesn't address the message level security.
As I understood your question, you are concerned about message level or transport level security.For example, the message encryption, its integrity, non repudiation etc. are message level or transport level security and cannot be addressed directly using RBAC or ABAC. These are the security controls that are governed outside the scope of access control mechanism.
For example, if you want to make sure to store something in secured DB and encrypted format, then these can be controlled by organization's compliance policies defined for writing such data (e.g. PCI related data).
RBAC and ABAC are the mechanism which can answer only the question : Who can access what and/or under what conditions?
Hope it clarifies if I understood correctly.
来源:https://stackoverflow.com/questions/49716401/how-does-an-access-control-mechanism-e-g-rbac-or-abac-protect-resources