I've read about the differences between capabilities and access control lists, but to me capabilities seem similar to claims. Can anyone explain the difference, if there is one?
-
Is there even a formal definition? Microsoft uses claims in one way (both for users and resources). Other frameworks may use claims or capabilities in different ways. Do add reference links when you get them because your question is a great one. – David Brossard Jun 10 '15 at 12:39
-
My understanding of Microsoft's definition of claims is that claims say something about an identity, sort of like additional sub-identities, and that these claims are verified by a trusted party. A resource may receive a signed token with some claims and may decide what to do with those claims itself. Claims mean whatever the receiver of the claims interprets them as. The important part is that they are verified by someone you trust. In this way claims are very versatile and can be used as capabilities or roles or whatever. Claims are whatever you make of them. – Sámal Rasmussen Jun 11 '15 at 09:00
-
That's true in the Microsoft .NET framework and in Windows but it is only partially true in SharePoint. – David Brossard Jun 11 '15 at 12:04
1 Answers
Claims and capabilities are both evidence-supported tokens, but they are totally different in terms of intent.
In a capabilities-based access control model, a capability is a token which demonstrates a capability, i.e. a right to perform an action on an object. An important thing to note here is that the capability does not contain any notion of identity, but rather the permission itself. Possession of the capability token is considered evidence towards being able to carry out an operation.
Claims are similar, but they're about identity. A claim says "I am this person", and is usually comprised of sets of evidence to demonstrate that fact. Kerberos tokens work on this model. Claims are combined with access control lists (ACLs) applied to objects. An ACL might say "user X has permission Y for this object". The user makes a claim to be user X, and provides evidence to prove this fact. If the evidence is accepted, she is allowed to perform operations which require permission Y.
In summary, the main difference is that a capability is a token which provides proof of being allowed to perform a privileged action, whereas a claim is a token which provides proof of identity, which can in turn be used to show proof of being allowed to perform an action in the context of a particular ACL.
- 132,208
- 43
- 298
- 379
-
Ah reading this and re-reading wikipedia makes me understand this better: http://en.wikipedia.org/wiki/Claims-based_identity I think ACLs aren't necessary for claims though. A claim says "something" about a principal and the resource can decide itself what that something means - what the user with that claim is allowed to do with the resource. So where capabilities are maps between actions and resources that is contained in each principals token, claims are just something that the resource that make a decision about itself. – Sámal Rasmussen Jun 10 '15 at 11:33