Abstract
Access control is one of the key mechanisms used for protecting system resources. While each of the existing access control models has its own benefits, it is difficult to satisfy all the requirements of a contemporary system with a single model. In this paper, we propose a unified model by combining three existing well-known models – Role-based Access Control (RBAC), Mandatory Access Control (MAC), and Attribute-based Access Control (ABAC) – in a novel way. The proposed model, named Samyukta, combines these three models in a modular way and uses them in a specific order so that the modules complement each other and we gain benefits of all three models. The widely used RBAC, with its roles, provides scalability, auditability, and easy management. With its labels, MAC provides Information Flow Control (IFC), and ABAC, with its attributes, provides flexible, context-aware, fine-grained access control. Along with these benefits, Samyukta also has advantages with respect to expressiveness, performance, and verifiability. We provide a relative comparison of our model with an existing model and also present a prototype implementation of Samyukta and demonstrate its efficiency.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abdunabi, R., Al-Lail, M., Ray, I., France, R.B.: Specification, validation, and enforcement of a generalized spatio-temporal role-based access control model. IEEE Syst. J. 7(3), 501–515 (2013)
Al-Kahtani, M.A., Sandhu, R.S.: A model for attribute-based user-role assignment. In: CSAC, pp. 353–362 (2002)
Barker, S.: The next 700 access control models or a unifying meta-model? In: SACMAT Proceedings, pp. 187–196 (2009)
Batra, G., Atluri, V., Vaidya, J., Sural, S.: Deploying ABAC policies using RBAC systems. J. Comput. Secur. 27(4), 483–506 (2019)
Bell, D.E., LaPadula, L.J.: Secure computer systems: mathematical foundations. Technical report MTR-2547-VOL-1, MITRE Corp., Bedford, MA (1973)
Biba, K.J.: Integrity considerations for secure computer systems. Technical report. MTR-3153-REV-1, MITRE Corp., Bedford, MA (1977)
Brewer, D.F.C., Nash, M.J.: The Chinese wall security policy. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 206–214 (1989)
Chakraborty, S., Sandhu, R., Krishnan, R.: On the feasibility of RBAC to ABAC policy mining: a formal analysis. In: SKM, Proceedings, pp. 147–163 (2019)
Coyne, E., Weil, T.R.: ABAC and RBAC: scalable, flexible, and auditable access management. IT Prof. 15(3), 14–16 (2013)
Damiani, M.L., Bertino, E., Catania, B., Perlasca, P.: GEO-RBAC: a spatially aware RBAC. ACM Trans. Inf. Syst. Secur. 10(1), 2 (2007)
Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19(5), 236–243 (1976)
Fernández, M., Mackie, I., Thuraisingham, B.M.: Specification and analysis of ABAC policies via the category-based metamodel. In: Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy, CODASPY 2019, pp. 173–184. ACM (2019)
Ferraiolo, D.F., Sandhu, R.S., Gavrila, S.I., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)
Gofman, M.I., Luo, R., Solomon, A.C., Zhang, Y., Yang, P., Stoller, S.D.: RBAC-PAT: a policy analysis tool for role based access control. In: Proceedings TACAS, pp. 46–49 (2009)
Hu, V.C., Ferraiolo, D., Kuhn, R., Friedman, et al.: Guide to attribute based access control (ABAC) definition and considerations. NIST Spec. Pub. 800 (162) (2013)
Hu, V.C., Kuhn, D.R., Xie, T., Hwang, J.: Model checking for verification of mandatory access control models and properties. Int. J. Softw. Eng. Knowl. Eng. 21(1), 103–127 (2011)
Huang, J., Nicol, D.M., Bobba, R., Huh, J.H.: A framework integrating attribute-based policies into role-based access control. In: SACMAT, pp. 187–196 (2012)
Jajodia, S., Samarati, P., Sapino, M.L., Subrahmanian, V.S.: Flexible support for multiple access control policies. ACM Trans. Database Syst. 26(2), 214–260 (2001)
Jin, X., Krishnan, R., Sandhu, R.S.: A unified attribute-based access control model covering DAC, MAC and RBAC. In: DBSec 2012 Proceedings, pp. 41–55 (2012)
Jin, X., Sandhu, R.S., Krishnan, R.: RABAC: role-centric attribute-based access control. In: MMM-ACNS Proceedings, pp. 84–96 (2012)
Kafura, D.G., Gracanin, D.: An information flow control meta-model. In: Conti, M., Vaidya, J., Schaad, A. (eds.) 18th ACM Symposium on Access Control Models and Technologies, SACMAT, pp. 101–112. ACM (2013)
Kuhn, D.R.: Role based access control on MLS systems without kernel changes. In: Proceedings of the 3rd ACM Workshop on RBAC, pp. 25–32 (1998)
Kuhn, D.R., Coyne, E.J., Weil, T.R.: Adding attributes to role-based access control. IEEE Comput. 43(6), 79–81 (2010)
Kumar, N.V.N., Shyamasundar, R.K.: A complete generative label model for lattice-based access control models. In: SEFM, Proceedings, pp. 35–53 (2017)
Mitra, B., Sural, S., Vaidya, J., Atluri, V.: Migrating from RBAC to temporal RBAC. IET Inf. Secur. 11(5), 294–300 (2017)
Osborn, S.L.: Mandatory access control and role-based access control revisited. In: Proceedings of the 2nd Workshop on RBAC, pp. 31–40 (1997)
Osborn, S.L.: Information flow analysis of an RBAC system. In: SACMAT Proceedings, pp. 163–168 (2002)
Phillips, C., Demurjian, S., Ting, T.: Towards information assurance in dynamic coalitions. IEEE IAW, USMA (2002)
pyABAC: Attribute Based Access Control (ABAC) for python. https://py-abac.readthedocs.io. Accessed Dec 2020
Rajpoot, Q.M., Jensen, C.D., Krishnan, R.: Attributes enhanced role-based access control model. In: TrustBus Proceedings, pp. 3–17 (2015)
Sandhu, R.S.: Role hierarchies and constraints for lattice-based access controls. In: Computer Security - ESORICS 96, Proceedings, pp. 65–79 (1996)
Sandhu, R.S., Ferraiolo, D.F., Kuhn, D.R.: The NIST model for role-based access control: towards a unified standard. In: Fifth ACM Workshop on RBAC, Berlin, Germany, 26–27 July 2000, pp. 47–63 (2000)
Stambouli, A., Logrippo, L.: Data flow analysis from capability lists, with application to RBAC. Inf. Process. Lett. 141, 30–40 (2019)
Tuval, N., Gudes, E.: Resolving information flow conflicts in RBAC systems. In: DBSec Proceedings, pp. 148–162 (2006)
Acknowledgement
The work presented in this paper was done at the Indian Institute of Technology Bombay and was supported by the Information Security Research and Development Centre, Ministry of Electronics and Information Technology, Government of India.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Radhika, B.S., Kumar, N.V.N., Shyamasundar, R.K. (2022). Samyukta: A Unified Access Control Model using Roles, Labels, and Attributes. In: Badarla, V.R., Nepal, S., Shyamasundar, R.K. (eds) Information Systems Security. ICISS 2022. Lecture Notes in Computer Science, vol 13784. Springer, Cham. https://doi.org/10.1007/978-3-031-23690-7_5
Download citation
DOI: https://doi.org/10.1007/978-3-031-23690-7_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-23689-1
Online ISBN: 978-3-031-23690-7
eBook Packages: Computer ScienceComputer Science (R0)