Skip main navigation (Press Enter).
Log in
Toggle navigation
Log in
Community
Topic Groups
Champions
Directory
Program overview
Rising Champions
IBM Champions group
User Groups
Directory
Benefits
Events
Dev Days
Conference
Community events
User Groups events
All TechXchange events
Participate
TechXchange Group
Welcome Corner
Blogging
Member directory
Community leaders
Resources
IBM TechXchange
Community
Conference
Events
IBM Developer
IBM Training
IBM TechXchange
Community
Conference
Events
IBM Developer
IBM Training
Cloud Pak for Data
×
Cloud Pak for Data
Come for answers. Stay for best practices. All we’re missing is you.
Group Home
Threads
2.1K
Blogs
287
Events
1
Library
323
Members
4.3K
View Only
Share
Share on LinkedIn
Share on X
Share on Facebook
Back to Blog List
Attribute-based access controls in Cloud Pak for Data 4.5
By
Yalon Gordon
posted
Wed July 13, 2022 01:53 PM
Like
From its inception, IBM Cloud Pak for Data was conceived explicitly as a data platform for enterprises that care deeply about the security of their digital assets. For our most recent release (4.5), we have doubled down on this promise with a handful of features and best practices designed to make our clients’ environments bulletproof. One of the ways we hope to improve our clients’ security postures is by introducing a new paradigm — “Attribute Based Access Control” (ABAC) — for determining who can access which resources in Cloud Pak for Data.
Organizations using Cloud Pak for Data today manage their end users’ permissions within the platform by creating “roles” with specific sets of permissions and then assigning individual users to the role that is most appropriate to them. While this framework functionally allows organizations to protect their data and resources, it reaches its practical limits fairly quickly as an organization’s headcount grows. When you have thousands of end users working within an instance of Cloud Pak for Data, assigning and updating their roles becomes a massive task for cluster administrators. We believe that Attribute Based Access Control (ABAC) can address these challenges, reducing the manual effort required to administer Cloud Pak for Data while improving our clients’ security posture.
Rather than rely on the concept of preset roles to determine whether a user should have access to an asset in the platform, ABAC uses the characteristics (known as “attributes”) of a user’s profile to make these decisions. These decisions are guided in advance by rules which administrators can create. For example, once an administrator limits access to payroll data to people whose “department” attribute is “Human Resources,” that rule will be enforced universally within Cloud Pak for Data, eliminating the need to assign each person in HR a role that would provide the same access. Through this mechanism, ABAC improves upon Role Based Access Control (RBAC) by introducing dynamic scalability to access control.
ABAC’s dynamic scalability significantly reduces the burden of administering a Cloud Pak for Data cluster. ABAC is dynamic in that its rules are enforced in real-time. For organizations, this means that if a user’s department (or any other attribute) changes, their permissions are automatically updated, thus ensuring a continuous strong security posture no matter what happens within the organization. Furthermore, ABAC rules enable cluster administration at a massive scale by eliminating the need to constantly create, modify, and assign roles to users. Cluster admins can “set and forget” their access management rules with the knowledge that no matter how many users are onboarded to Cloud Pak for Data, they will be taken care of by ABAC.
Our first implementation of ABAC is just the tip of the iceberg when it comes to its potential to reshape access management in Cloud Pak for Data. Starting in Cloud Pak for Data 4.5.0, clients will be able to take advantage of the benefits of ABAC using
SCIM attributes
from their LDAP servers. As our clients begin to utilize the benefits of ABAC, we will work on extending the benefits our implementation of ABAC affords. We plan on supporting non-SCIM LDAP attributes soon, massively expanding the scope of ABAC use cases that Cloud Pak for Data can support. Further down the line, we see opportunities for more advanced rule-building capabilities and an increased granularity in terms of the kinds of assets one can create rules for.
Cloud Pak for Data has always been about security, and we consider our renewed focus on this aspect of the platform to be crucial for its continued success. ABAC is a great example of our efforts in this area and comes with the added benefit of significantly reducing the manual effort required to administer a large environment. We are excited to see our clients make use of it.
Subscribe and stay tuned for more on Cloud Pak for Data v4.5
#CloudPakforDataGroup
#Highlights
#Highlights-home
#Spotlight
0 comments
1345 views
Permalink
Copy
https://community.ibm.com/community/user/blogs/yalon-gordon/2022/07/13/attribute-based-access-controls-in-cloud-pak-for-d
Powered by Higher Logic
By
Yalon Gordon
posted