Why use ACLs for authorization and not ABAC?


To me, using WAC for authorization doesn’t look as a future proof solution. Over the years, ACL based authorization proved to be ineffective because it can’t express many types of authorization scenarios. ACLs are user, agent and group based, which is in my opinion a severe limitation.

An attribute based kind of authorization system might be a much better approach. (Somewhere in the docs I think I saw a claim that WAC is attribute based, but it most definitely isn’t.) With attributes, one can express authorization, besides users and groups, in terms of properties, such as allowing access to data to certified medical personal, being over 18, having a valid social security number etc.

ACLs is a well established and understood mechanism, including all its drawbacks, but for Solid is likely to become a limiting factor. So, my question is why ACLs based authorization was chosen as the basis for authorization and not true ABAC?

Related to this, is using attributes for authentication [2].

[1] ABAC
[2] Attribute based authentication: IRMA