There are two strategies for adopting a Fine Grained Access Control mechanism.
- Access Control Lists (ACL)
- Rules based approach
1. Access Control Lists
This is a very proprietary approach. For more information, please follow http://en.wikipedia.org/wiki/Access_control_list
PicketLink3 has a permission based model. The permissions can be stored in DB or LDAP.
2. Rules based approach
Access Control decisions can be governed with rules.
2.1 Drools
Simple mechanism to incorporate a rules based access control mechanism.
Pros:
- Simple strategy.
- Guvnor is available to edit and manage rules.
Cons:
- Not a standard.
Availability:
PicketBox5 has Drools based authorization.
2.2 OASIS XACML
Currently the only available standard for FGA. Requires the availability of policies written in XML and the unavailability of good editing tools. PicketBox XACML supports OASIS XACML v2.
Pros:
- OASIS standard.
- Extremely capable framework.
Cons:
- Requires XML
- No good tool exists to manage the policy files.
Availability:
PicketBox XACML is an independent library that can be incorporated into any Java framework.
Terminology
I differentiate the models used in access control: Enforcement vs Entitlements Models
Enforcement Model: server checks access checks per call. Yes/No type of a behavior.
Entitlement Model: client asks server for a particular context, what permissions/entitlements does the user/subject has.
Comments