NGAC vs RBAC vs ABAC 及为何选择 NGAC 作为权限控制模型


NGAC RBAC ABAC - 国内版 Bing
https://cn.bing.com/search?FORM=U227DF&PC=U227&q=NGAC+RBAC+ABAC

low joker - 知乎
https://www.zhihu.com/people/lowlowlow-9

NGAC vs RBAC vs ABAC 及为何选择 NGAC 作为权限控制模型 - 知乎
https://zhuanlan.zhihu.com/p/352007836

empowerid-whitepaper-rbac-abac-hybrid-model.pdf
https://blog.empowerid.com/hs-fs/hub/174819/file-18506087-pdf/docs/empowerid-whitepaper-rbac-abac-hybrid-model.pdf

Poorly Implemented RBAC
RBAC’s greatest weakness is that it is almost universally oversimplified in its implementation by
application developers. The RBAC model defines the concept of a Subject, a Role, and a
Permission much the same as ABAC’s Subject, Resource, and Action. In the RBAC model, a
Permission is the combination of an “Action” for a “Resource” in ABAC terminology (e.g.,
CustomerA.delete). However, most implementations of RBAC, as written by application developers,
limit themselves to simple checks for role membership without any concept of permission. This
usage downgrades roles into being simply groups to maintain collections of users with the central
role management system unaware of the permissions they grant in the applications themselves.
The pseudocode below is an example of this simplistic “IsInRole” approach:
This oversimplification is so widespread that it has become synonymous with RBAC and even
promoted as a standard practice by many vendors. In this model, application permissions are
enforced solely internal to the application and hidden from the role management system. This
internal enforcement makes it impossible to manage or audit the actual access being granted by

if (user.IsInRole(StandardEmployee)
this.application.show(Employee.PublicProfile)
else if (user.IsInRole(“HRManager”) || (user.IsInRole(“SalesManager”) ||
(user.IsInRole(“AuditManager”)
this.application.show(Employee.PublicProfile + Employee.AbsenceReport)

Unpacking Next Generation Access Control (NGAC) and Tetrate Q | Tetrate
https://www.tetrate.io/blog/unpacking-next-generation-access-control-ngac-and-tetrate-q/

NGAC vs RBAC vs ABAC 及为何选择 NGAC 作为权限控制模型 - 常给自己加个油 - 博客园

Guide to Attribute Based Access Control (ABAC) Definition and Considerations | NIST
https://www.nist.gov/publications/guide-attribute-based-access-control-abac-definition-and-considerations-1