World Cup of Access Control: ACL v. RBAC v. Capability v. ABAC

2 min read Original article ↗

Mike Schwartz

Press enter or click to view image in full size

World Cup of Access Control Models

Authorization requests generally align with the PARC model: Principal, Action, Resource, Context. Access control models use these request inputs differently. The question GovOps seeks to answer is: “Which approach is the best for measuring risk?”

Resource-based access control, especially ACLs, starts with the resource. ACLs can tell us when access is allowed to a resource. But ACLs are hard to correlate to risk when the action is unclear. So many ACL’s include the action in the metadata of the ACL itself by combining them into the policy. For example, think of Unix file permissions or database or LDAP access control (remember the Sun Directory Server aci attribute…). Without the action, the risk signal is incomplete.

Attribute-based access control adds context: Context is essential for runtime decisions, but context alone is not a governance unit. The possible variables and combinations are effectively infinite.

Principal-based access control starts with identity: user, group, role, service account, workload, or agent. It’s an obvious approach. What are the humans allowed to do? Or what are the agents allowed to do? But identity alone does not correlate directly to risk. To calculate risk, we need to map people to entitlements.

Capability-based access control focuses on the compound key of Action + Resource. This correlates roughly to “entitlement”, and is the clearest unit of governance to measure risk. Capability is more active — it’s something you can do; entitlement is something you’re permitted to do. It’s a subtle nuance, but capability removes a layer of abstraction. Capabilities can be inventoried, classified, assigned owners, mapped to controls, monitored, and measured. If you want to measure access risk, capability is the right unit.

PARC shows that identity, action, resource, and context all matter. But if the goal is to measure and govern access risk, the center of gravity should be capability: Action + Resource.