Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’ve begun doing some research on XACML and external authorization. Right now I have an existing application which utilizies an RBAC model. However the implementation has a lot of shortcomings (roles can’t be easily defined, roles are too coarsly grained).
Is XACML a good alternative to look at? Are there any exisitng applications which have switched to XACML from an RBAC origin? Are there any shortcomings?
Disclaimer: I’m a developer for IBM, and I work on our product that uses XACML extensively (Tivoli Security Policy Manager). I’m a little biased towards XACML.
I think XACML is a great alternative, mainly because it can support almost any security model. I’d suggest modelling your existing RBAC solution in XACML (see the profile), then extending it to include finer-grained access control where your business requirements demand it.
Externalizing your authorization code into policy has the added advantage of being able to modify your application’s security model without recompiling it.
Unfortunately I’m not aware of any particular examples, at least ones that I can talk about publicly. There is an internal IBM project that allocated a month for implementing their authorization module, but got it done in a week by externalizing it using our XACML implementation. This is obviously different to your example as it was a “green fields” development project, but highlights that there are benefits to be had with the general approach you’re considering.