Towards an Attribute-Based Role-Based Access Control System
2019-11-05, 11:00–11:45, Main Conference Room

Click HERE to view the presentation slide deck.

We’ve all heard the complaint, Role-Based Access Control (RBAC) doesn’t work. It leads to 'Role Explosion', defined as an inordinate number of roles in a production environment. Nobody knows who is assigned to what, because there are hundreds, if not thousands of roles to keep track of. We could try Attribute-Based Access Control (ABAC), but that leads to a whole different set of problems, including non-standard implementations, complexity and lack of integrity. What's a system implementer to do?
There's a way of having both together, capturing the strengths of each while limiting their shortcomings. This talk discusses standards-based RBAC and how it can be enhanced to eliminate long entrenched problems by sprinkling attributes into the mix. At the same time we'll look at an open source implementation, Apache Fortress, that illustrates the techniques discussed in the talk using an LDAP data model.


The talk will center around a typical RBAC use case to implement fine-grained access control inside of a traditional web application. The first demo (App1) will show where the traditional RBAC model falls short. The second demo (App2) will show how using dynamic role constraints solves the problem.