ABSTRACT
Attribute-based access control (ABAC) is a general access control model that subsumes numerous earlier access control models. Its increasing popularity stems from the intuitive generic structure of granting permissions based on application and domain attributes of users, subjects, objects, and other entities in the system. Multiple formal and informal languages have been developed to express policies in terms of such attributes. The utility of ABAC policy languages is potentially undermined without a properly formalized underlying model. The high-level structure in a majority of ABAC models consists of sets of tokens and sets of sets, expressions that demand that the reader unpack multiple levels of sets and tokens to determine what things mean. The resulting reduced readability potentially endangers correct expression, reduces maintainability, and impedes validation. These problems could be magnified in models that employ nonuniform representations of actions and their governing policies. We propose to avoid these magnified problems by recasting the high-level structure of ABAC models in a logical formalism that treats all actions (by users and others) uniformly and that keeps existing policy languages in place by interpreting their attributes in terms of the restructured model. In comparison to existing ABAC models, use of a logical language for model formalization, including hierarchies of types of entities and attributes, promises improved expressiveness in specifying the relationships between and requirements on application and domain attributes. A logical modeling language also potentially improves flexibility in representing relationships as attributes to support some widely used policy languages. Consistency and intelligibility are improved by using uniform means for representing different types of controlled actions---such as regular access control actions, administrative actions, and user logins---and their governing policies. Logical languages also provide a well-defined denotational semantics supported by numerous formal inference and verification tools.
- Tim Berners-Lee and Dan Connolly. 2011. Notation3 (N3): A readable RDF syntax. Technical Report. World Wide Web Consortium (W3C). http://www.w3.org/TeamSubmission/n3/Google Scholar
- G. Bruns and M. Huth. 2011. Access control via Belnap logic: Intuitive, expressive, and analyzable policy composition. ACM Transactions on Information and System Security (TISSEC), Vol. 14, 1 (2011), 9. Google ScholarDigital Library
- Jason Crampton and Charles Morisset. 2012. PTaCL: A Language for Attribute-Based Access Control in Open Systems Proceedings of the First International Conference on Principles of Security and Trust POST 2012 (Lecture Notes in Computer Science), Pierpaolo Degano and Joshua D. Guttman (Eds.). Springer-Verlag, Berlin Heidelberg, 390--409. Google ScholarDigital Library
- Mike Dean, Guus Schreiber, Sean Bechhofer, Frank van Harmelen, Jim Hendler, Ian Horrocks, Deborah L. McGuinness, Peter F. Patel-Schneider, and Lynn Andrea Stein. 2004. OWL Web Ontology Language Reference. World Wide Web Consortium (W3C), Cambridge, MA, USA. http://www.w3.org/TR/owl-ref/Google Scholar
- T. Finin, A. Joshi, L. Kagal, J. Niu, R. Sandhu, W. Winsborough, and B. Thuraisingham. 2008. ROWLBAC: Representing Role Based Access Control in OWL Proceedings of the 13th ACM Symposium on Access Control Models and Technologies (SACMAT '08). ACM, New York, NY, USA, 73--82. Google ScholarDigital Library
- Fausto Giunchiglia, Rui Zhang, and Bruno Crispo. 2008. RelBAC: Relation based access control. In Fourth International Conference on Semantics, Knowledge and Grid, SKG '08, Beijing, China, December 3--5, 2008. IEEE Computer Society, Los Alamitos, CA, 3--11. Google ScholarDigital Library
- Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters. 2006. Attribute-based encryption for fine-grained access control of encrypted data Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS 2006). ACM, New York, NY, 89--98. Google ScholarDigital Library
- Chung Tong Hu, David F. Ferraiolo, David R. Kuhn, Adam Schnitzer, Kenneth Sandlin, Robert Miller, and Karen Scarfone. 2014. Guide to Attribute Based Access Control (ABAC) Definition and Considerations. Special Publication (NIST SP) 800--162. National Institutes of Standards and Technology (NIST), Gaithersburg, Maryland.Google Scholar
- Peng Jin and Yang Fang-chun. 2006. Description Logic Modeling of Temporal Attribute-Based Access Control 2006 First International Conference on Communications and Electronics, Ngyuen Quoc Trung, Kazuo Tanaka, and Hyukjae Lee (Eds.). IEEE, Los Alamitos, CA, 414--418.Google Scholar
- Xin Jin. 2014. Attribute-Based Access Control Models and Implementation In Cloud Infrastructure as a Service. Ph.D. Dissertation. The University of Texas at San Antonio, San Antonio, TX.Google Scholar
- Xin Jin, Ram Krishnan, and Ravi Sandhu. 2012. A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC. Data and Applications Security and Privacy XXVI (DBSec 2012), N. Cuppens-Boulahia et al. (Ed.). Lecture Notes in Computer Science, Vol. Vol. 7371. Springer Verlag, Heidelberg, 41--55. Google ScholarDigital Library
- John C. John, Shamik Sural, and Arobinda Gupta. 2017. Attribute-based access control management for multicloud collaboration. Concurrency and Computation: Practice and Experience, Vol. 29, 19, Article e4199 (2017), 14 pages.Google ScholarCross Ref
- Carroline Dewi Puspa Kencana Ramli, Hanne Riis Nielson, and Flemming Nielson. 2011. The Logic of XACML Formal Aspects of Component Software - 8th International Symposium, FACS 2011, Oslo, Norway, September 14--16, 2011, Revised Selected Papers. Springer, Springer, Berlin Heidelberg, 205--222.Google Scholar
- Prathima Rao, Dan Lin, Elisa Bertino, Ninghui Li, and Jorge Lobo. 2009. An algebra for fine-grained integration of XACML policies Proceedings of the 14th ACM symposium on Access Control Models and Technologies (SACMAT 2009). ACM, New York, NY, 63--72. Google ScholarDigital Library
- Daniel Servos and Sylvia L. Osborn. 2014. HGABAC: Towards a Formal Model of Hierarchical Attribute-Based Access Control Seventh International Symposium on Foundations and Practice of Security (Lecture Notes in Computer Science), Frédéric Cuppens, Joaquın Garcıa-Alfaro, A. Nur Zincir-Heywood, and Philip W. L. Fong (Eds.). Springer, Cham, Switzerland, 187--204.Google Scholar
- Daniel Servos and Sylvia L. Osborn. 2017. Current Research and Open Problems in Attribute-Based Access Control. Comput. Surveys Vol. 49, 4 (January. 2017), 65:1--45. Google ScholarDigital Library
- Nitin Kumar Sharma and Anupam Joshi. 2016. Representing Attribute Based Access Control Policies in OWL Tenth IEEE International Conference on Semantic Computing, ICSC 2016, Laguna Hills, CA, USA, February 4--6, 2016. IEEE Computer Society, Los Alamitos, CA, 333--336.Google Scholar
- Lingyu Wang, Duminda Wijesekera, and Sushil Jajodia. 2004. A Logic-based Framework for Attribute based Access Control Formal Methods in Software Engineering (FMSE'04). ACM, ACM, New York, NY, 45--55. 100045. Google ScholarDigital Library
- Xinwen Zhang, Yingjiu Li, and Divya Nalla. 2005. An attribute-based access matrix model. In Proceedings of the 2005 ACM Symposium on Applied Computing (SAC), Hisham Haddad, Lorie M. Liebrock, Andrea Omicini, and Roger L. Wainwright (Eds.). ACM, New York, NY, 359--363. Google ScholarDigital Library
Index Terms
- Towards Greater Expressiveness, Flexibility, and Uniformity in Access Control
Recommendations
Mining Positive and Negative Attribute-Based Access Control Policy Rules
SACMAT '18: Proceedings of the 23nd ACM on Symposium on Access Control Models and TechnologiesMining access control policies can reduce the burden of adopting more modern access control models by automating the process of generating policies based on existing authorization information in a system. Previous work in this area has focused on mining ...
Attribute Expressions, Policy Tables and Attribute-Based Access Control
SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and TechnologiesAttribute-based access control (ABAC) has attracted considerable interest in recent years, prompting the development of the standardized XML-based language XACML. ABAC policies written in languages like XACML have a tree-like structure, where leaf nodes ...
Mining Relationship-Based Access Control Policies
SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and TechnologiesRelationship-based access control (ReBAC) provides a high level of expressiveness and flexibility that promotes security and information sharing. We formulate ReBAC as an object-oriented extension of attribute-based access control (ABAC) in which ...
Comments