A Good Read: A History Of Access Control
Heya,
Usually authentication isn’t enough. Even though it is a critical part of every customer identity and access management (CIAM) system, it’s almost never enough to only know who someone is. As a developer of an application, you also need to know what they can do. Controlling access to data and functionality requires authorization as well as authentication.
In my experience, authorization is tightly tied to business requirements and can’t be abstracted out to third party systems as easily as authentication can (though there are folks that are trying).
But folks have been trying to build a solid access control system for decades, ever since there was more than one user in a system and information access needed to be limited. This history from Teleport does a good job of walking through the models that have been tried.
These include:
Discretionary access controls (the r/w/x bits of unix, controlled by the creator of a file)
Mandatory access controls
Role-based access control (RBAC)
Attribute based access control (ABAC)
It’s from 2021, but ends with a look at Binder, a 2002 access control system that was never implemented, but could have resulted in provable denial of access. It would be great if they’d update it for newer developments in access control, such as Cedar.
Hope you enjoy the look back at access control theory and methods in that post.
Dan