Introduction to IAM and common access control models

1.IAM
The abbreviation for iam,identity and Access Management, which is "identity and access management." IAM is a comprehensive set up and maintain digital identity, and provide effective and secure access to IT resources business processes and management tools, so as to achieve the organization information assets Unified identity authentication, authorization and identity data centralized management and audit. In layman's words: IAM is to allow the right natural person at the right time to access authorized information assets in a unified manner, providing centralized digital identity management, authentication, authorization, audit mode and platform. In summary, IAM is a comprehensive concept.

2. Common access Control models

(1) ACL, access control list

ACL is the first and most basic kind of access control mechanism, its principle is very simple. Each resource is provided with a list that records which users can perform those operations in the crud for that resource. When the system attempts to access this resource, it first checks to see if there is any access to the current user in the list to determine whether the current user can perform the appropriate action. Generally speaking, ACL is a resource-oriented access control model, and its mechanism is developed around "resources".
Because of the simplicity of the ACL, it can complete access control with little or no infrastructure required. But at the same time its shortcomings are also very obvious, because of the need to maintain a large number of access lists, ACL performance has obvious flaws. In addition, for applications with a large number of users and many resources, managing the access control list itself becomes a very heavy task.

(2) RBAC, role-based access control, role-based access controls
RBAC is to categorize users by role, and to determine whether a user can perform an action on a resource by the user's role. The biggest advantage of RBAC in relation to ACLs is that it simplifies the management of users and permissions by classifying users so that roles are associated with permissions, and users and permissions become indirect associations. The RBAC model makes access control, especially the user's authorization management become very simple and easy to maintain, so it has a wide range of applications. But it also has its own shortcomings, that is, because the permissions are assigned by the role of the carrier, if the individual users under a role need special permissions to customize, as in some other roles to add a small portion of permissions or remove some permissions of the current role, RBAC can do nothing, Because RBAC assigns a permission to a role as a unit.

The permissions model for RBAC is as follows:

In the figure above, the model is structured as user-, group-A, rule-privilege. A user belongs to a user group, and no user is assigned a role, and each role is associated with some column privilege. The user and its final privilege are indirectly associated with the group,role link.

(3) In addition to two of the two main models, there are: attribute-based access control ABAC and policy-based access control PBAC and so on, because the application is not very broad, do not introduce.

References from:

http://blog.csdn.net/painsonline/article/details/7183613/