Evolving Landscape of Authorisation

Access Control domain is a hot topic again with different fronts of innovations happening. These advancements are promising and seems paving the way to take this domain to the next level. In this post I hope to have a brief look back on how the domain has evolved over the time and current fronts.

Overview

While military requirements triggered the advancements in the early stages of the domain, currently the requirements of Microservices authorisation, privacy and antitrust compliance are driving it for betterment.

BACs

From supportive structures such as Access Control Matrix and then Access Control Lists(ACL) to store permission models, this structure kept on getting complex, based on disparate use cases and requirements of systems. Below is a brief list of these different branches of access control. These branches are NOT mutually exclusive. For example within Attribute based access control, the user role can become one of the attributes. We will only use this categorisation to assist exploring this domain in a more organized manner.

Lattice Based Access Control (LBAC) — When lists and matrices fall short to store the complex relationships of the systems, a lattice was used for the purpose. The classical security models such as BIBA model, Bell-La-Padula model etc. were around this time.

Role Based Access Control (RBAC) — In this approach, the subjects(mostly users/services) are grouped based on their privilege…