Relationship-based Access Control
   HOME

TheInfoList



Click Here for Items Related To - Relationship-based Access Control
OR:
Relationship-based Access Control on:   [Wikipedia]   [Google]   [Amazon]

In computer systems security, Relationship-based access control (ReBAC) defines an
authorization Authorization or authorisation (see American and British English spelling differences#-ise, -ize (-isation, -ization), spelling differences), in information security, computer security and identity management, IAM (Identity and Access Managemen ...
paradigm where a subject's permission to access a resource is defined by the presence of relationships between those subjects and resources. In general, authorization in ReBAC is performed by traversing the directed graph of relationships. The nodes and edges of this graph are very similar to triples in the Resource Description Framework (RDF) data format. ReBAC systems allow hierarchies of relationships, and some allow more complex definitions that include algebraic operators on relationships such as union, intersection, and difference. ReBAC gained popularity with the rise of social network web applications, where users need to control their personal information based on their relationship with the data receiver rather than the receiver’s role. Using ReBAC enabled to collectively define permissions for teams and groups, thus eliminating the need to set permissions individually for every resource. In contrast to role-based access control (RBAC), which defines roles that carry a specific set of privileges associated with them and to which subjects are assigned, ReBAC (like ABAC), allows defining more fine-grained permissions. For example, if a ReBAC system defines resources of type ''document'', which can allow one action ''editor'', if the system contains the relationship ''('alice', 'editor', 'document:budget')'', then subject ''Alice'' can ''edit'' the specific resource ''document:budget''. The downside of ReBAC is that, while it allows more fine-grained access, this means that the application may need to perform more authorization checks. ReBAC systems are deny-by-default, and allow building RBAC systems on top of them.


History

The term ReBAC was coined by Carrie E. Gates in 2006. In 2019
Google Google LLC (, ) is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial ...
published a paper presenting "Zanzibar: Google’s Consistent, Global Authorization System". The paper defines a system composed of a namespace configuration and relationship data expressed as triples. Since the release of that paper, several companies have built commercial and open source offerings of ReBAC systems.


See also

*
Role-based access control In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users, and to implementing mandatory access control (MAC) or discretionary access control, discretion ...
* Attribute-based access control


References

{{reflist Access control Computer security models