Thursday, July 10, 2008
Getting NISTy - UPDATEOracle's Nishant Kaushik has a great post today attacking the NIST RBAC standard as fatally flawed.
He asks the question, "Is the NIST RBAC standard fundamentally flawed, given that it is missing a key element in access control decisions - relationships...?" and answers himself: "It is, and companies looking to the NIST RBAC standard as the template for how to approach role management are going to end up missing the boat."
I'll simply say that I find NIST's RBAC to be about as useful as the ISO network model - a great tool to tailor a discussion around, but really worthless as a practical implementation. Alternatively, you could thing of it as being in the same relationship to actual role implementation as the Dept. of Defense's ADA programming language is to Java or C#.
There has to be a better way.
UPDATE: My sometime drinking buddy, Archie Reed from HP, has posted a good summary of the current thinking, planning and drafting of standards for role management and RBAC.
Comments: Post a Comment
© 2003-2006 The Virtual Quill, All Rights Reserved Home