访问控制机制(例如RBAC或ABAC)如何保护资源? [英] How does an access control mechanism (e.g., RBAC or ABAC) protect resources?
问题描述
访问控制机制(例如RBAC或ABAC)如何保护资源?我知道诸如RBAC,ABAC等访问控制机制如何工作。换句话说,我知道访问控制引擎如何评估请求并做出决定(允许,拒绝等)。但是,我不知道它们如何保护资源。
我的意思是,例如,ABAC如何执行拒绝决定?
- 资源是否已加密?
- 还是它们存储在安全的数据库中?
RBAC和ABAC以不同的方式工作以实现相似的目标:访问控制。
二者的原理相同:简化授权管理。但是,RBAC主要发生在您为用户分配角色和权限的管理时间。然后,让目标应用程序根据用户具有的角色和权限来执行授权。 OAuth2和范围采用类似的方法。这导致耦合授权,因为这取决于应用程序来执行授权。您将得到类似 if UserInRole(r)的代码 ...
RBAC也需要角色工程并且可以实现某种程度的静态职责分离(例如,购买者不能同时是批准者)。
在ABAC中,您显然将应用程序与授权分离了逻辑。该应用程序所做的全部工作就是调用一个策略决策点,该策略决策点返回一个许可或拒绝(根据
PEP或策略执行点通常是位于前面的拦截器或代理您希望保护的应用程序的内部或内部。它可以是API网关,例如Mulesoft或Servlet过滤器。通常,它们非常容易编写。 公理学(我在这里工作)提供了两个SDK,可帮助您无缝地完成此工作。
How does an access control mechanism (e.g., RBAC or ABAC) protect resources? I know how access control mechanisms such as RBAC, ABAC and so on work. In other words, I know how the access control engine evaluates requests and makes decisions (permit, deny, etc.). But, I do not know how they protect the resources.
I mean, how does, for example, ABAC enforce a Deny decision?
- Are the resources encrypted?
- Or are they stored in a secure database?
RBAC and ABAC work in different ways to achieve similar goals: access control.
Both of their rationales are the same: to simplify authorization management. RBAC, though, happens mainly at administrative time where you assign users roles and permissions. You then let the target application enforce the authorizations based on the roles and permissions a user has. OAuth2 and scopes take on a similar approach. This leads to coupled authorization since it is up to the app to enforce the authorization. You will get code like if UserInRole(r) then...
RBAC also requires role engineering and can achieve some level of static segregation-of-duty (for instance a purchaser cannot be an approver at the same time).
In ABAC, you clearly decouple the application from the authorization logic. All the app does is call a Policy Decision Point that returns either a Permit or a Deny (according to the xacml standard).
The architecture is as follows (along with flow):
The PEP or Policy Enforcement Point is typically an interceptor or agent sitting in front of or inside the application you wish to protect. It can be an API gateway such as Mulesoft or a Servlet Filter. They are extremely easy to write usually. Axiomatics (which is where I work) provides a couple of SDKs to help you do that seamlessly.
这篇关于访问控制机制(例如RBAC或ABAC)如何保护资源?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
