Fine Grained Access Control Strategies

There are two strategies for adopting a Fine Grained Access Control mechanism.

 

  1. Access Control Lists (ACL)
  2. Rules based approach

 

1. Access Control Lists

This is a very proprietary approach.  For more information, please follow http://en.wikipedia.org/wiki/Access_control_list

 

PicketLink3 has a permission based model. The permissions can be stored in DB or LDAP.

 

2. Rules based approach

Access Control decisions can be governed with rules.

2.1 Drools

Simple mechanism to incorporate a rules based access control mechanism. 

Pros:

  • Simple strategy.
  • Guvnor is available to edit and manage rules.

 

Cons:

  • Not a standard.

 

Availability:

PicketBox5 has Drools based authorization.

 

2.2 OASIS XACML

Currently the only available standard for FGA. Requires the availability of policies written in XML and the unavailability of good editing tools.  PicketBox XACML supports OASIS XACML v2.

 

Pros:

  • OASIS standard.
  • Extremely capable framework.

 

Cons:

  • Requires XML
  • No good tool exists to manage the policy files.

Availability:

PicketBox XACML is an independent library that can be incorporated into any Java framework.

 

 

Terminology

I differentiate the models used in access control: Enforcement vs Entitlements Models

 

Enforcement Model: server checks access checks per call. Yes/No type of a behavior.

Entitlement Model: client asks server for a particular context, what permissions/entitlements does the user/subject has.