Babu Kopparam wrote:
Hi Experts,
I am working for product company which own around 80 products.
My role is to provide security framework to all the teams.
I have proposed RBAC (referring NIST's specification) as the suitable
solution for Authorization.
I want to know if my selection is right OR is there any other widely
used method.
Hola Babu,
The short answer is: "It depends . . ." :) The longer answer is that
it depends upon the demographics of the user base. Example: If the
application is an order entry system and the only people who will be
using it are order entry clerks in a sales department (i.e. homogeneous
with respect to the risk/trust model), then RBAC is not a good choice
for authorization. If it is a system which is intended to be used by
not only the order entry clerks but by the rest of the sales department,
the production department and the company's customers (who might be
allowed to enter and modify their own orders), then RBAC is the most
appropriate choice . . .
Good luck! If you find that RBAC is the appropriate authentication
mechanism, take great care with its implementation. For an organization
that is not used to it, it is a significant challenge to define the role
hierarchies and inheritance rules correctly. It is an even greater
challenge to code the application and authorization subsystem correctly.
Then comes the challenge of how and where to store the data the
subsystem needs (see, for instance, the SESAME project:
https://www.cosic.esat.kuleuven.ac.be/sesame/).
Bottom line: RBAC is a great tool, but one must implement it with care,
especially if there are cases of dynamic separation of duties and/or
Chinese walls.
Cheers,
/g
