Welcome to the IBM Community, a place to collaborate, share knowledge, & support one another in everyday challenges. Connect with your fellow members through forums, blogs, files, & face-to-face networking.
Log in
Search Options
Search Options
Skip to main content (Press Enter).
Sign in
Skip auxiliary navigation (Press Enter).
Cloud Pak for Data
Topic groups
Cloud Pak for Data
Events
Upcoming Cloud Pak for Data Events
On Demand Webinars
IBM Expert TV
Virtual Community Events
All IBM Community Events
Participate
Gamification Program
Post to Forum
Share a Resource
Share your Expertise
Blogging on the Community
Connect with Cloud Pak for Data Users
All IBM Community Users
Resources
Community Front Porch
IBM Champions
IBM Cloud Support
IBM Documentation
IBM Support
IBM Technology Zone
IBM Training
Accelerators catalog
Partner services catalog
Learning center
Developer resources
Marketplace
Marketplace
IBM Cloud Pak for Data Community
Engage with the other members of the community to get the most out of IBM Cloud Pak for Data and its services. Share best practices as you put your data to work and infuse AI into your business.
Join / Log in
Skip main navigation (Press Enter).
Toggle navigation
Search Options
Cloud Pak for Data Group
View Only
Group Home
Discussion
1.7K
Library
279
Blogs
164
Events
1
Members
4.5K
Back to Blog List
Attribute-based access controls in Cloud Pak for Data 4.5
By
Yalon Gordon
posted
Wed July 13, 2022 01:53 PM
1
Like
From its inception, IBM Cloud Pak for Data was conceived explicitly as a data platform for enterprises that care deeply about the security of their digital assets. For our most recent release (4.5), we have doubled down on this promise with a handful of features and best practices designed to make our clients’ environments bulletproof. One of the ways we hope to improve our clients’ security postures is by introducing a new paradigm — “Attribute Based Access Control” (ABAC) — for determining who can access which resources in Cloud Pak for Data.
Organizations using Cloud Pak for Data today manage their end users’ permissions within the platform by creating “roles” with specific sets of permissions and then assigning individual users to the role that is most appropriate to them. While this framework functionally allows organizations to protect their data and resources, it reaches its practical limits fairly quickly as an organization’s headcount grows. When you have thousands of end users working within an instance of Cloud Pak for Data, assigning and updating their roles becomes a massive task for cluster administrators. We believe that Attribute Based Access Control (ABAC) can address these challenges, reducing the manual effort required to administer Cloud Pak for Data while improving our clients’ security posture.
Rather than rely on the concept of preset roles to determine whether a user should have access to an asset in the platform, ABAC uses the characteristics (known as “attributes”) of a user’s profile to make these decisions. These decisions are guided in advance by rules which administrators can create. For example, once an administrator limits access to payroll data to people whose “department” attribute is “Human Resources,” that rule will be enforced universally within Cloud Pak for Data, eliminating the need to assign each person in HR a role that would provide the same access. Through this mechanism, ABAC improves upon Role Based Access Control (RBAC) by introducing dynamic scalability to access control.
ABAC’s dynamic scalability significantly reduces the burden of administering a Cloud Pak for Data cluster. ABAC is dynamic in that its rules are enforced in real-time. For organizations, this means that if a user’s department (or any other attribute) changes, their permissions are automatically updated, thus ensuring a continuous strong security posture no matter what happens within the organization. Furthermore, ABAC rules enable cluster administration at a massive scale by eliminating the need to constantly create, modify, and assign roles to users. Cluster admins can “set and forget” their access management rules with the knowledge that no matter how many users are onboarded to Cloud Pak for Data, they will be taken care of by ABAC.
Our first implementation of ABAC is just the tip of the iceberg when it comes to its potential to reshape access management in Cloud Pak for Data. Starting in Cloud Pak for Data 4.5.0, clients will be able to take advantage of the benefits of ABAC using
SCIM attributes
from their LDAP servers. As our clients begin to utilize the benefits of ABAC, we will work on extending the benefits our implementation of ABAC affords. We plan on supporting non-SCIM LDAP attributes soon, massively expanding the scope of ABAC use cases that Cloud Pak for Data can support. Further down the line, we see opportunities for more advanced rule-building capabilities and an increased granularity in terms of the kinds of assets one can create rules for.
Cloud Pak for Data has always been about security, and we consider our renewed focus on this aspect of the platform to be crucial for its continued success. ABAC is a great example of our efforts in this area and comes with the added benefit of significantly reducing the manual effort required to administer a large environment. We are excited to see our clients make use of it.
Subscribe and stay tuned for more on Cloud Pak for Data v4.5
#Highlights
#Highlights-home
#Spotlight
0 comments
561 views
Permalink
Cloud Pak for Data
Topic groups
Cloud Pak for Data
Events
Upcoming Cloud Pak for Data Events
On Demand Webinars
IBM Expert TV
Virtual Community Events
All IBM Community Events
Participate
Gamification Program
Post to Forum
Share a Resource
Share your Expertise
Blogging on the Community
Connect with Cloud Pak for Data Users
All IBM Community Users
Resources
Community Front Porch
IBM Champions
IBM Cloud Support
IBM Documentation
IBM Support
IBM Technology Zone
IBM Training
Accelerators catalog
Partner services catalog
Learning center
Developer resources
Marketplace
Marketplace
Copyright © 2020 IBM Data Science Community. All rights reserved.
Powered by Higher Logic