Cell based Access Control (CBAC) in Accumulo is a powerful and flexible feature, but it has drawbacks for addressing complex access control requirements. Security architects are unable to include data types, range operators, exceptions, or environment variables to policies for dynamic access control evaluations. It is possible to solve the complex AC requirements by implementing the AC mechanism on application layer, but this approach has its own drawbacks as well. Developing another layer of AC will create an overhead both for the system design and performance.
In this talk, we present our mechanism to extend Accumulo’s Security Labels to include Attributes and XACML. This allows significantly increased Access control policy expressivity, improved policy administration, and the opportunity to implement access control models such as Attribute-based (ABAC) and Risk-Adaptable Access Control (RAdAC) in Accumulo. We will also discuss combining Accumulo's and our AC approaches to increase the capabilities of Accumulo even further. Introducing different types of attributes can be used to achieve both finer-grained and coarser-grained control over data according to access control requirements. For instance environment attributes can be used to limit access of a cell to a specific location of client whereas system specific information such as namespace/table/column can be used to simplify (or complicate) the policies.