• Host: Mike Schwartz, Founder/CEO Gluu
• Co-Host: David Brossard, CTO at Axiomatics

• Linkedin Event
• Youtube Video

We need to leverage tokens but no need to create yet another term like "TBAC". Customers are confused enough as it is with RBAC, ABAC, PBAC, and ReBAC... Maybe we need a Venn of *BAC terms.

• Episode 100 Video
• Episode 100 Wiki Page
• Linkedin Discussion

• ⚡ Mike and David agree that OpenID Authzen is useful as a starting point for a JSON/REST interface, and at the same time, it's not enough for interoperability with profiles. We didn't 100% agree on where to go from here (i.e. how profiles will evolve), or how impactful standardizing just the request/response protocol is.

• ⚡ David wonders if AWS properly considered ALFA ("The Abbreviated Language for Authorization") before they decided to invent yet another Cedar policy syntax. He does concede that there is some novelty to the way Cedar formalizes schema definition, and corresponding benefits to static anaylsis of policy engines.

• ⚡ Regarding TBAC, David likes the idea of tokens as input to policy. He sees them as "attributes"--input to your policies.

• ⚡ David points out that we have a lot of access control systems, or "BACs". They are not in opposition and overlap in certain areas.

• ⚡ From an end user perspective, the tech community understands RBAC and ABAC. But all the other BACs have insignificant mind-share, so why bother?

here