You are hereAttribute Based Access Control/SPM

Attribute Based Access Control/SPM

Attribute Based Access Control (ABAC) flexible and dynamic security policies are are enforced by the Security Policy Manager (SPM) mechanism during the operation of the Trusted RUBIX RDBMS.


For detailed information on the Trusted RUBIX SPM, please see the Trusted RUBIX Security Policy Manager Reference Guide and the Trusted RUBIX Security Policy Manager Tutorial.


Security policies are created using the XML based Trusted RUBIX Security Markup Language (RXSML). The RXSML language allows policy creation and execution using a host of context attributes and functions to manipulate them. The RXSML language also allows actions, called obligations, to be executed based upon the outcome of the security policy execution. Policies may be configured to release information across any domain defined by the underlying operating system's Mandatory Access Control policy.


The RXSML language is based upon the policy language of the OASIS XACML 2.0 standard. For details, see Section 1.6 of the Trusted RUBIX Security Policy Manager Reference Guide.


The Trusted RUBIX RDBMS integrates the host operating system’s Mandatory Access Control policies (OS-MAC) to control access to database objects. Examples of an OS-MAC policy include Multilevel Security (OS-MAC MLS) and Type Enforcement (OS-MAC TE) of the SELinux Red Hat Enterprise Linux (RHEL) operating system. SPM policies may be configured to override the underlying OS-MAC policy (i.e., a releasability policy) or to further restrict operations beyond the OS-MAC policy (i.e., a refining policy). Objects that have no ABAC policy associated with them are by default protected by the underlying OS-MAC security policy.


Access control logic code is organized into rules, policies, and sets of policies and algorithms may be specified to define how they interact with each other. Policies and policy sets may be referenced by name allowing for the elegant, modular design of complex policy logic and the reuse of policy logic without code duplication. Policies are assigned to DBMS objects and may be specified to protect a single object or an entire subtree of objects. Policies may also be configured to automatically protect newly created objects.


To learn more about the Trusted RUBIX Security Policy Manager and Attribute Based Access Control/SPM please visit the links at the bottom of this page.