We have a subject, object(resource) and operation(action) in the ABAC. Subject and object have attributes that will be used to execute rules.
We can have multiple subjects of different types, as well as resources. Some attributes are relevant for some types of resources and some don't have any meaning in context of another. In this case how correct attributes model should be implemented? Example, we have resource of type A and B. For type A attribute isPublic is relevant, and for B is not. In case if PIP will receive request to get isPublic attribute for B what should it do? Return nothing or something that will lead to negative rule resolution? The same question for subject. How correct attributes model should be defined and resolved as well?
On request to PDP shall we pass all possible attributes that we are having? As far as I understood this will increase performance as it will allow to filter out by policy's target a lot of policies.
On request to PDP shall we pass all possible attributes that we are having? As far as I understood this will increase performance as it will allow to filter out by policy's target a lot of policies.
In ABAC, you can choose to pass all attributes from the PEP to the PDP up-front. For instance you could say:
In the above question, we pass in Alice's role and department as well as the record's status and department. We assume this is all the policies will need to reach a decision. This introduces a tight coupling between the PEP (or the application) and the PDP but it makes the PDP extremely fast given it will not need to go out to external sources (PIP).
The extreme opposite is to send in the "key" attributes only e.g.
In that case the PDP will need to call a PIP for the user's attributes and the resource's attributes leading to a total of 4 possible calls. You may think it sounds bad. But it's not. First of all
Like Mike, I work for Axiomatics. We've put algorithms in place to optimize policy evaluation and attribute retrieval. This makes our PDP extremely fast.