We’ve all heard the complaint, Role-Based Access Control (RBAC) doesn’t work. It leads to 'Role Explosion', defined as an inordinate number of roles in a production environment. Nobody knows who is assigned to what, because there are hundreds, if not thousands of roles to keep track of. We could try Attribute-Based Access Control (ABAC), but that leads to a whole different set of problems, including non-standard implementations, complexity and lack of integrity. What's a system implementer to do?
There's a way of having both together, capturing the strengths of each while limiting their shortcomings. This talk discusses standards-based RBAC and how it can be enhanced to eliminate long entrenched problems by sprinkling attributes into the mix. At the same time we'll look at an open source implementation, Apache Fortress, that illustrates the techniques discussed in the talk using an LDAP data model.