Over the past several years, there have been a lot of discussions around terms such as RBAC (Role Based Access Control), ABAC (Attribute Based Access Control), Dynamic Authorization Management (DAM) and standards such as XACML. Other terms such as RiskBAC (Risk Based Access Control) have been introduced more recently.
In particular, a frequent discussion has been going on between RBAC and ABAC enthusiasts, as to whether attributes should or must replace roles. However, most RBAC approaches in practice rely on more than purely role (i.e. on other attributes), while roles are a common attribute in ABAC. In practice, it is not RBAC vs. ABAC, but rather a continuum.
During this session, Martin Kuppinger will open the discussion on the different ways how access is granted - in a static, ACL-like approach or more dynamically, based policies and contextual information - and what the challenges are when moving to a more dynamic approach.
In this panel, the participants will look at where authorization is today and where it should be in an ideal world. They will discuss the trends and evolution in that area, such as the growing relevance of OpenAZ. They will discuss whether there are gaps in standards and technology that must be addressed. They will discuss how to solve the challenge, that the vast majority of applications is not ready for APAM (Adaptive Policy-Based Access Management). They will provide hints on how to solve the gap from both an organizational and technical perspective and how to make APAM a reality. And if it’s not APAM, they will introduce new ideas for better authorization.
