Abstract
Access control models allow expressing access control rules (also called policies) stating that certain subjects (or users) have or do not have the right (or privilege) to access certain objects in order to execute certain actions under certain conditions. Several existing models allow expressing rules only for specific subjects, objects and actions. Role-based access control (RBAC) introduced the notion of role, which is an abstraction over subjects. Organization-based access control (OrBAC) generalized further, by allowing specifying rules involving abstract subjects, abstract actions and abstract objects. We propose here a model that allows expressing rules involving any combinations of abstract or concrete subjects, actions and objects, as well as conditions over them. For this reason, our model is called concrete- and abstract-based access control model (CABAC). The semantics of our model is expressed in terms of first order predicate logic. Temporal, spatial, knowledge and historical contexts can be specified and combined. We show how in this model it is possible to express hierarchies of subjects, objects and actions as well as propagation of policies over hierarchies. Further, while in most models subjects, objects and actions, whether concrete or abstract, must be specified statically, it is possible in our model to specify subjects, actions and objects dynamically, i.e., according to conditions that can vary over time. Access control rules can also be explicitly revoked and subjected to different types of constraints, among which are cardinality constraints and separation of duties.
Similar content being viewed by others
References
AbouElKalam, A., El Baida, R., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miège, A., Saurel, C., Trouessin, G.: Organization based access control. In: Proceedings of IEEE 4th International Workshop on Policies for Distributed Systems and Networks (POLICY 2003), pp. 120–134, Lake Come, Italy, June (2003)
Adi, K., Bouzida, Y., Hattak, I., Logrippo, L., Mankovskii S.: Typing for conflict detection in access control policies. In: E-Technologies: Innovation in an Open World. Proceedings of the 4th International Conference on MCETECH 2009, pp. 212–226. Springer, Berlin (2009)
Benferhat, S., ElBaida, R., Cuppens, F.: A stratification-based approach for handling conflicts in access control. In: SACMAT2003, pp. 189–195 (2003)
Bertino E., Bonati P.A., Ferrari E.: Trbac: a temporal role-based access control model. ACM Transactions on Information and System Security 4(3), 191–223 (2001)
Bertino, E., Catania, B., Damiani, M.L., Perlasca, P.: Geo-rbac: a spatially aware rbac. ACM Transactions on Information and System Security (TISSEC), 10(1), February (2007)
Bertino, E., Jajodia, S., Samarati, P.: Supporting multiple access control policies in database systems. In: IEEE Symposium on Security and Privacy, pp. 94–107 (1996)
Bouzida, Y.: Managing security rules conflicts. European Patent Number 07 114 047.9, August (2007)
Bouzida, Y.: Online security rules conflict management. European Patent Number 07 114 046.1, August (2007)
Computer Associates: Computer Associates Embedded Entitlement Manager (CA-EEM). http://www.ca.com/us/products/product.aspx?id=5423 (2009)
Crampton, J., Khambhammettu, H.: Delegation in role-based access control. In: 11th European Symposium on Research in Computer Security (ESORICS’2006), pp. 174–191, September (2006)
Cuppens, F., Boulahia-Cuppens, N., Bouzida, Y., Kanoun, W., Croissant, A.: Expression and deployment of reaction policies. In: IEEE (ed) SITIS Workshop ”Web-Based Information Technologies & Distributed Systems (WITDS) (2008)
Cuppens F., Cuppens-Boulahia N., BenGhorbel M.: High level conflict management strategies in advanced access control models. Electr. Notes Theor. Comput. Sci. 186, 3–26 (2007)
Cuppens, F., Miège, A.: Modelling contexts in the Or-BAC model. In: Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC 2003), pp. 416–427. Las Vegas, Nevada, December (2003)
Ferraiolo, D.F., Kuhn, R.: Role-based access controls. In: Ruthberg, Z., Polk, W. (eds.) Proceedings of the 15th NIST-NSA National Computer Security Conference, pp. 554–563. Baltimore, Maryland, pp. 13–16, October (1992)
Jajodia, S., Samarati, P., Subrahmanian, V.S.: A logical language for expressing authorizations. In: IEEE Symposium on Security and Privacy, pp. 31–42 (1997)
Joshi J.B.D., Bertino E., Latif U., Ghafoor A.: A generalized temporal role-based access control model. IEEE Trans. Knowl. Data Eng. 17(1), 4–23 (2005)
Kamoda H., Yamaoka M., Matsuda S., Broda K., Sloman M.: Access control policy analysis using free variable tableaux. IPSJ Digital Courier 2, 207–221 (2006)
Lampson, B.: Protection. In: 5th Princeton Symposium on Information Sciences and Systems, pp. 437–443, March (1971)
Park, J., Sandhu, R.: The UCON-ABC usage control model. ACM Trans. Inf. Syst. Secur. (TISSEC) 7(1), February (2004)
Sandhu R.S., Coyne E.J., Feinstein H.L., Youman C.E.: Role-based access control models. IEEE Comput. 29(2), 38–47 (1996)
Weissman, V., Halpern, J.Y.: Using first-order logic to reason about policies. In: 16th IEEE Computer Security Foundations Workshop (CSFW2003) (2003)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Bouzida, Y., Logrippo, L. & Mankovski, S. Concrete- and abstract-based access control. Int. J. Inf. Secur. 10, 223–238 (2011). https://doi.org/10.1007/s10207-011-0138-1
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-011-0138-1