Using ABAC, it is quite easy to express rules like:
A Subject (with position = 'Manager') is allowed to perform Action (with name = 'Write') on a Resource (with class = 'Document' and type = 'Report').
However, when controlling sharing events, you need to specify two types of Subjects: the person who does the sharing, and the intended recipient.
For example: a Manager might wish to share a report with a Junior in her department.
It is possible to write this as a series of rules involving both types of Subject, but how do you express the "directedness" of sharing, e.g., the Manager can share with the Junior but not vice-versa? I have tried several approaches but they all seem very verbose because of the Subject->Resource->Subject structure and I am not sure that they truly capture all the semantics of access-controlled sharing of content, such as might happen in an online social network.
Perhaps there is an underlying ABAC 'design pattern' for this....
Aucun commentaire:
Enregistrer un commentaire