KuppingerCole Report
Advisory Note
By Dan Blum

Unifying RBAC and ABAC in a Dynamic Authorization Framework

Mastering authorization is critical for modern organizations with multiple user constituencies, applications, and data types. Groups are necessary but not sufficient in complex environments. Roles are handy for adding manageability and assurance to coarse- or medium-grained authorization but break down in the face of dynamic environments or complex access policies. Attribute-based access control (ABAC) has gained adherents, but is in fact just another piece of the puzzle. In this note, KuppingerCole will unfold the dimensions of a unified authorization framework incorporating all of the above and more.

1 Management Summary

Dynamic authorization in complex enterprise IT environments is one of the most challenging parts of identity and access management (IAM) and informati ...

Login Free 30-day Select Access Get full Access

2 Highlights

  • Organizations with a mix of medium- to high-risk custom, COTS, and SaaS applications often struggle with authorization
  • Conventional group and role ...
Login Free 30-day Select Access Get full Access

3 Authorization Challenges

Many large, established organizations operate diverse portfolios of custom-developed, commercial off-the-shelf (COTS), and software-as-a-service (SaaS ...

  • Billions of entitlements may be required for thousands of people (or subjects) times millions of data elements.
  • Complexity grows when subjects mus ...
Login Free 30-day Select Access Get full Access

4 Authorization Requirements for the Future State

Amidst the fast-moving zeitgeist of the digital transformation, running a competitive company, effective government agency, or university requires con ...

Login Free 30-day Select Access Get full Access

4.1 Types of Authorization

Different types of authorization are required:

Initial Authorization: There is a difference – and an overlap – between authentication and autho ...

Login Free 30-day Select Access Get full Access

5 Authorization Frameworks

Many vendors will claim they have the solution to the authorization challenge. Directory vendors offer a consolidated directory to store groups; provi ...

  • Governance: Admin time authorization management sets policy, handles access requests or access reviews, and provisions access.
  • The policy models ...
Login Free 30-day Select Access Get full Access

5.1 Policy Models

Done properly, governance and runtime authorization come together in the policy models. Authorization policy models structure the actual criteria used ...

Login Free 30-day Select Access Get full Access

5.1.1 Groups

Access control groups are data structures containing a list of named users. Typically, a group also has one or more users defined as its owner. The fo ...

Login Free 30-day Select Access Get full Access

5.1.2 Role-Based Access Control (RBAC)

A role is a type of attribute describing what a user does in an organization or an application. RBAC is the name for various methodologies for using o ...

Login Free 30-day Select Access Get full Access

5.1.3 Attribute-Based Access Control (ABAC)

The ABAC model proposes a “unified field” for authorization policy models. In ABAC, all the following types of data are modeled as attributes:

  • Su ...
Login Free 30-day Select Access Get full Access

5.1.4 Entitlements and Entitlements Sets

Entitlements are data items tracked to record what a subject can do with, or to, a resource, such as an file or applicastion data object. The term “ ...

Login Free 30-day Select Access Get full Access

5.1.5 Access Policy Expressions (Rules)

Access policy expressions are rules that are used to evaluate attributes (including roles, group memberships, resource attributes, etc.) in an authori ...

Login Free 30-day Select Access Get full Access

5.2 Runtime Authorization

Runtime authorization is the real-time access policy enforcement at a gateway or resource level. Authorization decisions are made using policy model a ...

Login Free 30-day Select Access Get full Access

5.2.1 Patterns

Table 1 lists typical types of runtime authoriztion patterns. Many of these patterns can be composed or combined in real-world use cases. For example, ...

Figure 4 depicts a basic „enterprise (web) application using PIP“ authorization pattern. After a PEP authenticates the user (typically using a log ...

The other runtime authorization patterns in Table 1 come into play when multiple IAM domains interact, when applications interact via APIs, and betwee ...

Login Free 30-day Select Access Get full Access

5.3 Admin Time Authorization

Access policy data must be created and managed for use in runtime authorization. Admin time authorization is the “access management” portion of IA ...

Login Free 30-day Select Access Get full Access

6 Putting the Pieces Together

Optimal authorization solution can be developed to meet complex requirements using a hybrid of RBAC and ABAC supported by appropriate admin time and r ...

Login Free 30-day Select Access Get full Access

7 Recommendations

KuppingerCole recommends organizations with a mix of medium- to high-risk custom, COTS, and SaaS applications follow the guidance in this Note to deve ...

Login Free 30-day Select Access Get full Access

8 Conclusion

A dynamic authorization architecture combines RBAC, ABAC, and multiple admin time and runtime authorization patterns to create a flexible platform for ...

Login Free 30-day Select Access Get full Access

Copyright

©2020 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarksTM or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole Analysts, founded in 2004, is a global analyst company headquartered in Europe focusing on Information Security and Identity and Access Management (IAM). KuppingerCole stands for expertise, thought leadership, outstanding practical relevance, and a vendor-neutral view on the information security market segments, covering all relevant aspects like: Identity and Access Management (IAM), Governance & Auditing Tools, Cloud and Virtualization Security, Information Protection, Mobile as well as Software Security, System and Network Security, Security Monitoring, Analytics & Reporting, Governance, and Organization & Policies.

For further information, please contact clients@kuppingercole.com.

top