Drawbacks to role-based?
- complex logic
- dynamic authorization parameters
- unique users, multiple roles
What’s attribute-based access?
- Attributes can be associated w/ user, resource, env, or app state
- Very flexible, allowing dynamic, contextual decisions
- If an ID and a resource share an attribute…
- Then the identity can access the resource
Why are tags/ABAC so versatile?
- Tags are k:v pairs that can be anything