In this session, Matthias Reinwarth and Horst Walther will present the KuppingerCole standard IAM process models in two variants. One uses roles for implementing a consistent, comprehensive approach. However, there are various situations where deployment of complete role models is not feasible. For these situations, KuppingerCole has developed a lean model that works without roles, but allows organizations streamlining and standardizing their IAM processes anyway and meeting essential compliance requirements.
Over the past several years, there have been a lot of discussions around terms such as RBAC (Role Based Access Control), ABAC (Attribute Based Access Control), Dynamic Authorization Management (DAM) and standards such as XACML. Other terms such as RiskBAC (Risk Based Access Control) have been introduced more recently.
Quite frequently, there has been a debate between RBAC and ABAC, as to whether attributes should or must replace roles. However, most RBAC approaches in practice rely on more than purely role (i.e. on other attributes), while roles are a common attribute in ABAC. In practice, it is not RBAC vs. ABAC, but rather a sort of continuum.
However, the main issue in trying to position ABAC as the antipode to RBAC is that attributes vs. roles is not what the discussion should be about. The difference is in how access is granted.
This panel will be not be about RBAC vs. ABAC. It will be about RBAC & ABAC & more. What are the essential elements for moving towards an adaptive, policy-based access management (or APAM)? What do we need for a better access management that we can implement today and extend subsequently, moving from static to dynamic controls and from ACLs to policies? How to make this work with and without application integration? This panel is a must-attend panel for all people involved in defining and redefining their Access Management approaches.
