Trusted Information Sharing – ABAC Architecture

pete.sharman's picture

In my previous post, I introduced you to the two concepts of Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). ABAC resolves a number of the limitations associated with RBAC, as I discussed in that post. In this post, I wanted to drill into the architecture underlying ABAC a little bit more.

In simple terms, there are four main parts of the ABAC architecture. These are:

  • The Policy Decision Point (PDP) – this is really the brains of the ABAC architecture. It evaluates requests for information against policies that it has been configured with. If it does not have enough information to make its decision to permit or deny access to the information, it can ask for more information from another part of the architecture, the Policy Information Point.
  • The Policy Information Point (PIP) – this acts as a bridge if you will between the PDP and other external sources of information, including databases and LDAP directory servers. It retrieves additional attributes from these external sources and passes them back to the PDP so the PDP can make its decision.
  • The Policy Administration Point (PAP) – this is the tool that is used to create the policies used by the PDP.
  • The Policy Enforcement Point (PEP) – this is responsible for protecting the information being requested. It inspects a request for information, and then creates an authorization request which it sends to the PDP.

Now let’s take an example that walks through an information request and how it is processed with the ABAC architecture. Using an example that most of you would be familiar, let’s say we have an application that a user Pete is trying to select information with, and that information is stored in a database. There are a number of steps that happen when a simple request such as this is made. Let’s look at such an example very simplistically, leaving out many of the complexities. The steps can be summarized as follows (the numbers refer to the diagram below this list):

0. Step zero is not actually shown in the diagram below. That’s where user Pete logs in to the application. There may be a variety of load balancers, firewalls and so on involved here, but for now these aren’t germane to this discussion so we’ll ignore them.

  1. Pete requests some information from the database behind the application. What that information is doesn’t matter, but let’s say for now he asks to view a particular file. For future reference, this is the sort of thing Trusted Information Sharing is all about – sharing files and other information securely. But I’ll come back to that in a later post. <br />
</li></ol></div>
    <div class=»
To prevent automated spam submissions leave this field empty.