Skip to main content

A Graph-Based Framework for ABAC Policy Enforcement and Analysis

  • Conference paper
  • First Online:
Data and Applications Security and Privacy XXXVIII (DBSec 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14901))

Included in the following conference series:

  • 455 Accesses

Abstract

In the realm of access control mechanisms, Attribute-Based Access Control (ABAC) stands out for its dynamic and fine-grained approach, enabling permissions to be allocated based on attributes of subjects, objects, and the environment. This paper introduces a graph model for ABAC, named \(G_{ABAC}\). The \(G_{ABAC}\) leverages directional flow capacities to enforce access control policies, mapping the potential pathways between a subject and an object to ascertain access rights. Furthermore, graph based modeling of ABAC enables the utilization of readily available commercial graph database systems to implement ABAC. As a result, enforcement and analyses of ABAC can be accomplished simply through graph queries. In particular, we demonstrate this using the Neo4j graph database and present the performance of executing enforcement and different analyses queries.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. The eXtensible Access Control Markup Language (XACML), Version 3.0, OASIS Standard, 22 January 2013. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf

  2. The Harmonia Open Source Software from NIST. https://github.com/PM-Master/Harmonia-1.6/releases

  3. Top Ten Reasons for Choosing Neo4j. https://neo4j.com/top-ten-reasons/

  4. Welcome to Neo4j. https://neo4j.com/docs/getting-started/

  5. Abdelgawad, M., Ray, I., Alqurashi, S., Venkatesha, V., Shirazi, H.: Synthesizing and analyzing attribute-based access control model generated from natural language policy statements. In: Proceedings of the 28th ACM Symposium on Access Control Models and Technologies, pp. 91–98 (2023)

    Google Scholar 

  6. Ahmadi, H., Small, D.: Graph model implementation of attribute-based access control policies. CoRR abs/1909.09904 (2019)

    Google Scholar 

  7. Alves, S., Fernández, M.: A graph-based framework for the analysis of access control policies. Theoret. Comput. Sci. 685, 3–22 (2017)

    Article  MathSciNet  Google Scholar 

  8. Bertolissi, C., Fernandez, M., Thuraisingham, B.: Graph-based specification of admin-CBAC policies. In: Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy, pp. 173–184 (2021)

    Google Scholar 

  9. Ferraiolo, D., Atluri, V., Gavrila, S.: The policy machine: a novel architecture and framework for access control policy specification and enforcement. J. Syst. Architect. 57(4), 412–424 (2011)

    Article  Google Scholar 

  10. Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)

    Article  Google Scholar 

  11. Hu, V., et al.: Guide to attribute based access control (ABAC) definition and considerations (2019)

    Google Scholar 

  12. Koch, M., Mancini, L.V., Parisi-Presicce, F.: Conflict detection and resolution in access control policy specifications. In: Foundations of Software Science and Computation Structures, pp. 223–238 (2002)

    Google Scholar 

  13. Mohamed, A., Auer, D., Hofer, D., KĂĽng, J.: Extended authorization policy for graph-structured data. SN Comput. Sci. 2, 351 (2021)

    Article  Google Scholar 

  14. Nabil, D., Slimani, H., Nacer, H., Aissani, D., Bey, K.B.: ABAC conceptual graph model for composite web services. In: 2018 IEEE 5th International Congress on Information Science and Technology (CiSt), pp. 36–41 (2018)

    Google Scholar 

  15. Nyanchama, M., Osborn, S.: The role graph model and conflict of interest. ACM Trans. Inf. Syst. Secur. 2(1), 3–33 (1999)

    Article  Google Scholar 

  16. Rizvi, S.Z.R., Fong, P.W.L.: Efficient authorization of graph-database queries in an attribute-supporting ReBAC model. ACM Trans. Priv. Secur. 23(4), 1–33 (2020)

    Article  Google Scholar 

  17. Servos, D., Osborn, S.L.: Current research and open problems in attribute-based access control. ACM Comput. Surv. 49(4), 1–45 (2017)

    Article  Google Scholar 

  18. Talegaon, S., Batra, G., Atluri, V., Sural, S., Vaidya, J.: Contemporaneous update and enforcement of ABAC policies. In: Proceedings of the 27th ACM on Symposium on Access Control Models and Technologies (SACMAT), pp. 31–42 (2022)

    Google Scholar 

  19. Talukdar, T., Batra, G., Vaidya, J., Atluri, V., Sural, S.: Efficient bottom-up mining of attribute based access control policies. In: IEEE International Conference on Collaboration and Internet Computing, pp. 339–348 (2017)

    Google Scholar 

  20. Uzun, E., et al.: Analyzing temporal role based access control models. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, SACMAT 2012, pp. 177–186 (2012)

    Google Scholar 

  21. Zhang, S., Fong, P.W.L.: Mining domain-based policies. In: Proceedings of the 14th ACM Conference on Data and Application Security and Privacy (CODASPY) (2024)

    Google Scholar 

Download references

Acknowledgments

This research was supported in part by the National Science Foundation award CNS-1747728, the National Institutes of Health award R35GM134927 and a grant from CISCO Research. The content is solely the responsibility of the authors and does not necessarily represent the official views of the agencies funding the research.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Mian Yang .

Editor information

Editors and Affiliations

A Python and Neo4j Code

A Python and Neo4j Code

1.1 A.1 Code for Access Request Evaluation

figure d

1.2 A.2 Code for User-Centric Analysis

figure e

1.3 A.3 Code for Object-Centric Analysis

figure f

Rights and permissions

Reprints and permissions

Copyright information

© 2024 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Yang, M., Atluri, V., Sural, S., Vaidya, J. (2024). A Graph-Based Framework for ABAC Policy Enforcement and Analysis. In: Ferrara, A.L., Krishnan, R. (eds) Data and Applications Security and Privacy XXXVIII. DBSec 2024. Lecture Notes in Computer Science, vol 14901. Springer, Cham. https://doi.org/10.1007/978-3-031-65172-4_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-65172-4_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-65171-7

  • Online ISBN: 978-3-031-65172-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics