Thursday, July 10, 2008

Getting NISTy - UPDATE

Oracle's Nishant Kaushik has a great post today attacking the NIST RBAC standard as fatally flawed.

He asks the question, "Is the NIST RBAC standard fundamentally flawed, given that it is missing a key element in access control decisions - relationships...?" and answers himself: "It is, and companies looking to the NIST RBAC standard as the template for how to approach role management are going to end up missing the boat."

I'll simply say that I find NIST's RBAC to be about as useful as the ISO network model - a great tool to tailor a discussion around, but really worthless as a practical implementation. Alternatively, you could thing of it as being in the same relationship to actual role implementation as the Dept. of Defense's ADA programming language is to Java or C#.

There has to be a better way.

UPDATE: My sometime drinking buddy, Archie Reed from HP, has posted a good summary of the current thinking, planning and drafting of standards for role management and RBAC.

Labels: , ,

Comments: Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]