40

What is the difference between "role based authorization" and "claim based authorization"? Under which circumstances would it be appropriate to implement each of these authorization models?

Todd Dill
  • 181
  • 5
user960567
  • 2,461
  • 4
  • 16
  • 16

2 Answers2

33

Claims are a method of providing information about a user, and roles are a description of a user by way of which roles they belong.

Claims are generally more useful because they can contain arbitrary data -- including role membership information. E.g. whatever is useful for the given application.

Claim Based identities are more useful, but tend to be trickier to use because there's a lot of setup involved for acquiring the claims in the first place. RBAC identities are less useful because they are just a collection of roles, but they are generally easier to setup.

The .NET stack, and Windows as a whole, is going claims. Windows authn tickets are claims, and Active Directory now has the ability to use claims for certain functions. The .NET stack uses a claims identity as the base identity object now by default.

Steve
  • 15,155
  • 3
  • 37
  • 66
20

As @SteveS said, RBAC is an authorization model whereas claims are a way of providing information about a user. It generalizes the notion of a role. In the past identity servers would simply provide applications the username and the list of roles/groups. Claims generalize this such that any user attribute can be passed on to the consuming application.

The authorization itself still handles authorization using the claims and its own logic. Microsot SharePoint and Windows Server 2012 are good examples of applications using claims to deliver finer-grained authorization. SharePoint assumes that if a user has at least one claim that is also assigned to a site / document, then access is permitted. Windows Server 2012 has a language called SDDL which can be used to combine user claims and file classification information.

Generally, though, you want to compare RBAC (role-based access control) to ABAC (attribute-based access control). Both are authorization models defined by NIST. Both can use claims but not necessarily. Also, claims are very user-centric whereas ABAC lets you define authorization based on user attributes (claims) as well as resource (object) attributes and even context (time of the day...).

ABAC is implemented in the OASIS XACML standard (eXtensible Access Control Markup Language) which provides you with attribute- and policy-based access control.

Here are some good references you can check out:

David Brossard
  • 1,360
  • 7
  • 16