I just finished viewing the YouTube movie titled “ABAC vs. ReBAC: An Authorization Policy Showdown”. Following is a short summary of the movie.
YouTube Summary
The video covers a discussion between Gabriel, Alex, and David on the topics of attribute-based access control (ABAC) and relationship-based access control (ReBAC), also known as policy as graph. They explore the key differences between these two approaches to fine-grained authorization, their respective benefits, and potential use cases. The discussion touches on the importance of providing a good developer experience, integrating authorization into the software development lifecycle, and the potential for SaaS and COTS vendors to adopt these approaches based on customer demand. Additionally, they discuss the future of policy languages like Alpha and the potential for standardization efforts.
Key Points
Introduction and Background
The video begins with Gabriel introducing Alex and David as experts in ABAC and ReBAC. They discuss the concept of fine-grained authorization and how it differs from traditional role-based access control (RBAC) by considering additional dimensions such as resource attributes, context, and relationships.
00:07:06 Benefits of ReBAC (Policy as Graph)
David highlights the benefits of using a graph-based approach for authorization, including the availability of existing tooling and frameworks, the ability to perform open-ended queries (search or reverse query evaluation), and the visual representation of policies, which can aid in understanding. Alex adds that graphs are well-suited for analytics and can leverage existing graph algorithms.
00:11:50 Benefits of ABAC (Policy as Code)
Alex discusses the benefits of ABAC, also known as policy as code. He suggests that it may have a lower learning curve for developers accustomed to coding and that it builds upon the mature XACML standard. David adds that ABAC policies can closely mirror plain English requirements, making them easier to understand and maintain.
00:17:20 Managing Complexity and Adoption
The discussion turns to managing the complexity of fine-grained authorization and the potential adoption by SaaS and COTS vendors. Gabriel suggests segmenting users and resources into coarse-grained roles or groups and then applying fine-grained policies on top of those segments. David mentions the OpenID Foundation’s AuthZen working group, which aims to standardize authorization APIs, potentially driving adoption by vendors.
00:51:00 Developer Experience and Integration
The panelists emphasize the importance of providing a good developer experience and seamless integration with the software development lifecycle. They discuss the potential for new policy languages or tools to improve the experience, as well as the trend towards no-code solutions. David mentions the ongoing efforts to evolve the Alpha policy language and potentially standardize it.
00:55:46 Distinguishing Authorization from Application Logic
In response to a question from the audience, David provides guidance on distinguishing between authorization policies and application logic. He suggests that authorization policies should be side-effect-free and focused on reporting requirements, while application logic can handle business rules without strict reporting needs.