Episode 048: 9‐17‐2024 Apache Fortress ANSI RBAC with OpenLDAP - GluuFederation/identerati-office-hours GitHub Wiki
Title: Apache Fortress ANSI RBAC with OpenLDAP
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Shawn McKinney, Software Architect at Symas Corporation
- Co-Host: Nate Klingenstein, Sr. Systems Engineer at The Johns Hopkins University
Description
RBAC is battle tested. Its properties and limitations are well understood. It aligns perfectly with existing enterprise security governance tools. Join us for a deep dive into Apache Fortress, a Java framework which implements ANSI RBAC and leverages OpenLDAP for persistence. In this livestream, we'll explore the architecture of Apache Fortress and discuss how enterprises can use it develop applications that align with centralized access management controls. And we'll consider RBAC's history: what have we learned?
Homework
Takeaways
-
RBAC provides a base level of authorization utility for organizations. Yes, enterprises also need non-role policies! But RBAC is a foundational part of enterprise access control.
-
"Was this person authorized at this time?" More contextual access control mechanisms cannot definitively answer this question. RBAC systems that tightly implement the ANSI spec reliably produce evidence that a person had the right roles at the time of access.
-
An "BAC" that doesn't have a specification is an aspiration. Where is the ABAC spec? So is ABAC really a spec at all. Cedar is well specified. Does that mean that Cedar-based access control should be called Ce-BAC?
-
You still need enterprice IAG tools to manage enterprise roles (i.e. to avoid role explostion) and for certification--make sure the right people are in those roles, or RBAC is useless!