NIST Report Reflects Increasing Need for ABAC…but Over-Engineers Its Deployment

by Andy Han

The National Institute of Technology and Standards (NIST) held a conference a few months back on Attribute Based Access Control (ABAC).  The primary objective of the conference was to promote a special publication on ABAC and the event brought together leaders from various government programs, technology vendors, industry analysts and subject matter experts on authorization and access control.  The event and paper are recognition that the adoption of ABAC is accelerating and that we needed to put in writing a shared understanding of when and how to deploy ABAC.   more “NIST Report Reflects Increasing Need for ABAC…but Over-Engineers Its Deployment”

Combining Role-Based Access Control with Attribute-Based Access Control for Export Compliance

By Soujanya Madhurapantula.

Recap: the 2-layer SAP authorization model

In our previous post, we introduced a 2-layer SAP authorisation model: a combination of Role-Based Access Control plus Attribute-Based Access Control. To comply with regulatory mandates such as export control, where access to data is dependent on multiple factors, such as location, nationality and content, it is prudent to augment SAP’s authorization model in order to control access at the data level. more “Combining Role-Based Access Control with Attribute-Based Access Control for Export Compliance”

Is Role-Based Access Control Sufficient?

By Soujanya Madhurapantula.

In SAP’s role-based security architecture, Users and Authorization objects are used to create profiles, such as “buyer” or “payer”, and these are used to define functional roles.

As a counter measure for potential fraud, the GRC Access Control Segregation of Duties can dictate that a user should not have, for example, both a buyer profile and a payer profile simultaneously.  In simple cases like this, SAP’s authorization concept works great!  It’s able to distinguish which user can perform a specific function by limiting their access to certain transactions, programs and services.  It even provides an easy way to administrate HR functions like role changes and employee turnover. more “Is Role-Based Access Control Sufficient?”