research-article

Towards a Theory for Semantics and Expressiveness Analysis of Rule-Based Access Control Models

Authors:

Amirreza Masoumzadeh,

Paliath Narendran,

Padmavathi IyerAuthors Info & Claims

SACMAT '21: Proceedings of the 26th ACM Symposium on Access Control Models and Technologies

Pages 33 - 43

https://doi.org/10.1145/3450569.3463569

Published: 11 June 2021 Publication History

Abstract

Recent access control models such as attribute-based access control and relationship-based access control allow flexible expression of authorization policies using the concepts of rules and conditional expressions. The independent nature of policy rules from each other and the amount of flexibility that they enjoy (e.g., the type of conditional expressions they support and whether they can permit or deny matching requests) make those policies quite expressive. But how expressive are they? Do we need to enable all possible flexibilities in a rule-based model to achieve the maximum possible expressiveness? Answering such questions is essential in making informed decisions when designing new models or choosing existing models for implementation. In this paper, we propose an approach towards answering those questions by developing a novel theory for capturing the semantics of rule-based policies depending on their support of different constructs such as flexibility of conditional expressions, rule modalities, and conflict resolution. Our formal policy semantics model enjoys an intuitive design that can capture the semantics of various rule-based policies. We show the well-formedness properties of such semantics and how they can be used to analyze the expressive power of a number of rule-based models.

References

[1]

G. Bruns, P. Fong, I. Siahaan, and M. Huth. Relationship-based access control: its expression and enforcement through hybrid logic. In Proceedings of the Second ACM Conference on Data and Application Security and Privacy, CODASPY'12, pages 117--124, New York, NY, USA. ACM, 2012.

Digital Library

[2]

B. Carminati, E. Ferrari, R. Heatherly, M. Kantarcioglu, and B. Thuraisingham. Semantic web-based social network access control. Computers Security, 30(2):108--115, Mar. 2011. issn: 01674048.

Digital Library

[3]

Y. Cheng, J. Park, and R. Sandhu. An access control model for online social networks using user-to-user relationships.IEEE Transactions on Dependable and Secure Computing, 13(4):424--436, July 2016. issn: 1545--5971.

Digital Library

[4]

Y. Cheng, J. Park, and R. Sandhu. Relationship-based access control for online social networks: beyond user-to-user relationships. In Proc. 2012 International Conference on Privacy, Security, Risk and Trust and 2012 International Conference on Social Computing, pages 646--655, Sept. 2012.

Digital Library

[5]

J. Crampton and C. Morisset. PTaCL: a language for attribute-based access control in open systems. In International Conference on Principles of Security and Trust, pages 390--409. Springer, 2012.

Digital Library

[6]

J. Crampton and J. Sellwood. ARPPM: administration in the RPPM model. In Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, CODASPY '16, pages 219--230, New York, NY, USA. ACM, 2016.

Digital Library

[7]

J. Crampton and J. Sellwood. Path conditions and principal matching: a new approach to access control. In Proceedings of the 19th ACM Symposium on Access Control Models and Technologies, SACMAT '14, pages 187--198, New York, NY, USA. ACM, 2014.

Digital Library

[8]

J. Crampton and J. Sellwood. Relationships, Paths and Principal Matching: A New Approach to Access Control. arXiv:1505.07945 [cs], May 29, 2015. arxiv:1505.07945;

[9]

J. Crampton and C. Williams. On completeness in languages for attribute-based access control. In Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies, SACMAT '16, pages 149--160, New York, NY, USA. ACM, 2016.

Digital Library

[10]

eXtensible Access Control Markup Language (XACML) Version 3.0, OASIS, 2013.

[11]

P. W. Fong. Relationship-based access control: protection model and policy language. InProc. CODASPY '11, pages 191--202, San Antonio, TX, USA. ACM, 2011.

Digital Library

[12]

P. W. Fong and I. Siahaan. Relationship-based access control policies and their policy languages. In Proc. 16th ACM Symposium on Access Control Models and Technologies, SACMAT '11, pages 51--60, Innsbruck, Austria. ACM, 2011.

Digital Library

[13]

M. A. Harrison, W. L. Ruzzo, and J. D. Ullman. Protection in operating systems. Commun. ACM, 19(8):461--471, Aug. 1976.issn: 0001-0782.

Digital Library

[14]

H. Hu and G.-J. Ahn. Multiparty authorization framework for data sharing in online social networks. In Y. Li, editor, Proceedings of the 25th annual IFIP WG11.3 conference on Data and applications security and privacy, volume 6818 of Lecture Notes in Computer Science, pages 29--43. Springer Berlin / Heidelberg,2011.

[15]

X. Jin, R. Krishnan, and R. Sandhu. A unified attribute-based access control model covering DAC, MAC and RBAC. In Data and Applications Security and Privacy XXVI. IFIP Annual Conference on Data and Applications Security and Privacy, Lecture Notes in Computer Science, pages 41--55. Springer, Berlin, Heidelberg, July 11, 2012.

Digital Library

[16]

J. B. D. Joshi, E. Bertino, and A. Ghafoor. An analysis of expressiveness and design issues for the generalized temporal role-based access control model. IEEE Transactions on Dependable and Secure Computing, 2(2):157--175, 2005.

Digital Library

[17]

J. B. D. Joshi, E. Bertino, U. Latif, and A. Ghafoor. A generalized temporal role-based access control model. IEEE Transactions on Knowledge and Data Engineering, 17(1):4--23, 2005. issn: 1041--4347.

Digital Library

[18]

S. Kandala, R. Sandhu, and V. Bhamidipati. An attribute based framework for risk-adaptive access control models. In 2011 Sixth International Conference on Availability, Reliability and Security, pages 236--241. IEEE, 2011.

Digital Library

[19]

N. Li, J. C. Mitchell, and W. H. Winsborough. Design of a role-based trust-management framework. In Proceedings 2002 IEEE Symposium on Security and Privacy, pages 114--130. IEEE, 2002.

[20]

N. Li and M. V. Tripunitara. Security analysis in role-based access control. ACM Trans. Inf. Syst. Secur., 9(4):391--420, Nov. 2006. issn: 1094--9224.

Digital Library

[21]

N. Li and W. H. Winsborough. Beyond proof-of-compliance: safety and avail-ability analysis in trust management. In Proceedings of the 2003 Symposium on Security and Privacy, pages 123--139, May 2003.

[22]

D. Lin, P. Rao, E. Bertino, N. Li, and J. Lobo. EXAM: a comprehensive environment for the analysis of access control policies.International Journal of Information Security, 9(4): 253--273, Aug. 2010. issn: 1615--5262.

Digital Library

[23]

A. Masoumzadeh and J. Joshi. OSNAC: an ontology-based access control model for social networking systems. In Proc. 2nd IEEE Int'l Conference on Information Privacy, Security, Risk and Trust (PASSAT 2010), pages 751--759, Minneapolis, MN, USA, Aug. 2010.

Digital Library

[24]

E. Pasarella and J. Lobo. A datalog framework for modeling relationship-based access control policies. In Proceedings of the 22Nd ACM on Symposium on Access Control Models and Technologies, pages 91--102, New York, NY, USA. ACM, 2017.

Digital Library

[25]

P. Rao, D. Lin, E. Bertino, N. Li, and J. Lobo. An algebra for fine-grained integration of XACML policies. In Proceedings of the 14th ACM symposium on Access control models and technologies, SACMAT '09, pages 63--72, New York,NY, USA. Association for Computing Machinery, June 3, 2009.

Digital Library

[26]

A. Sasturkar, P. Yang, S. D. Stoller, and C. R. Ramakrishnan. Policy analysis for administrative role based access control. In Proceedings of the 19th IEEE Computer Security Foundations Workshop (CSFW'06), 13 pp.--138, 2006.

Digital Library

[27]

D. Servos and S. L. Osborn. Current research and open problems in attribute-based access control. ACM Comput. Surv., 49(4):65:1--65:45, Jan. 2017. issn:0360-0300.

Digital Library

[28]

D. Servos and S. L. Osborn. HGAA: an architecture to support hierarchical group and attribute-based access control. In Proceedings of the Third ACM Workshop on Attribute-Based Access Control, ABAC'18, pages 1--12, New York, NY, USA. ACM, 2018.

Digital Library

[29]

D. Servos and S. L. Osborn. HGABAC: towards a formal model of hierarchical attribute-based access control. In Foundations and Practice of Security. International Symposium on Foundations and Practice of Security, Lecture Notes in Computer Science, pages 187--204. Springer, Cham, Nov. 3, 2014.

[30]

S. D. Stoller. An administrative model for relationship-based access control. In Springer Link. IFIP Annual Conference on Data and Applications Security and Privacy, pages 53--68. Springer, Cham, July 13, 2015.

[31]

M. V. Tripunitara and N. Li. A theory for comparing the expressive power of access control models. Journal of Computer Security, 15(2):231--272, Jan. 1, 2007. issn: 0926--227X.

Digital Library

[32]

F. Turkmen, J. den Hartog, S. Ranise, and N. Zannone. Formal analysis of XACML policies using SMT. Computers & Security, 66:185--203, May 1, 2017. issn: 0167--4048.

Digital Library

Cited By

Farhadighalati NEstrada-Jimenez LNikghadam-Hojjati SBarata J(2025)A Systematic Review of Access Control Models: Background, Existing Research, and ChallengesIEEE Access10.1109/ACCESS.2025.353314513(17777-17806)Online publication date: 2025
https://doi.org/10.1109/ACCESS.2025.3533145
Ruiz JNarendran PMasoumzadeh AIyer PNiu JVaidya J(2024)Converting Rule-Based Access Control Policies: From Complemented Conditions to Deny RulesProceedings of the 29th ACM Symposium on Access Control Models and Technologies10.1145/3649158.3657040(159-169)Online publication date: 24-Jun-2024
https://dl.acm.org/doi/10.1145/3649158.3657040
Alshamsi AMaamar ZKuhail M(2023)Towards an approach for weaving Open Digital Rights Language into Role-Based Access Control2023 International Conference on IT Innovation and Knowledge Discovery (ITIKD)10.1109/ITIKD56332.2023.10100036(1-6)Online publication date: 8-Mar-2023
https://doi.org/10.1109/ITIKD56332.2023.10100036
Show More Cited By

Index Terms

Towards a Theory for Semantics and Expressiveness Analysis of Rule-Based Access Control Models
1. Security and privacy
  1. Formal methods and theory of security
    1. Formal security models
  2. Security services
    1. Access control
    2. Authorization

Recommendations

Symbolic reachability analysis for parameterized administrative role-based access control

Role-based access control (RBAC) is a widely used access control paradigm. In large organizations, the RBAC policy is managed by multiple administrators. An administrative role-based access control (ARBAC) policy specifies how each administrator may ...
Policy analysis for administrative role based access control without separate administration
Data and Applications Security

Role based access control RBAC is a widely used approach to access control with well-known advantages in managing authorization policies. This paper considers user-role reachability analysis of administrative role based access control ARBAC, which ...
Category-Based Administrative Access Control Policies
As systems evolve, security administrators need to review and update access control policies. Such updates must be carefully controlled due to the risks associated with erroneous or malicious policy changes. We propose a category-based access control (...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '21: Proceedings of the 26th ACM Symposium on Access Control Models and Technologies

June 2021

194 pages

ISBN:9781450383653

DOI:10.1145/3450569

General Chair:
Jorge Lobo
ICREA & Universitat Pompeu Fabra, Spain
,
Program Chairs:
Roberto Di Pietro
Hamad Bin Khalifa University
,
Omar Chowdhury
The University of Iowa

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 June 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SACMAT '21

Sponsor:

SIGSAC

SACMAT '21: The 26th ACM Symposium on Access Control Models and Technologies

June 16 - 18, 2021

Virtual Event, Spain

Acceptance Rates

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
177
Total Downloads

Downloads (Last 12 months)24
Downloads (Last 6 weeks)3

Reflects downloads up to 27 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Farhadighalati NEstrada-Jimenez LNikghadam-Hojjati SBarata J(2025)A Systematic Review of Access Control Models: Background, Existing Research, and ChallengesIEEE Access10.1109/ACCESS.2025.353314513(17777-17806)Online publication date: 2025
https://doi.org/10.1109/ACCESS.2025.3533145
Ruiz JNarendran PMasoumzadeh AIyer PNiu JVaidya J(2024)Converting Rule-Based Access Control Policies: From Complemented Conditions to Deny RulesProceedings of the 29th ACM Symposium on Access Control Models and Technologies10.1145/3649158.3657040(159-169)Online publication date: 24-Jun-2024
https://dl.acm.org/doi/10.1145/3649158.3657040
Alshamsi AMaamar ZKuhail M(2023)Towards an approach for weaving Open Digital Rights Language into Role-Based Access Control2023 International Conference on IT Innovation and Knowledge Discovery (ITIKD)10.1109/ITIKD56332.2023.10100036(1-6)Online publication date: 8-Mar-2023
https://doi.org/10.1109/ITIKD56332.2023.10100036
Baumer TMüller MPernul G(2023)System for Cross-Domain Identity Management (SCIM): Survey and Enhancement With RBACIEEE Access10.1109/ACCESS.2023.330427011(86872-86894)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3304270
Abbasi MPrieto JShahraki ACorchado J(2023)Industrial data monetization: A blockchain-based industrial IoT data trading systemInternet of Things10.1016/j.iot.2023.10095924(100959)Online publication date: Dec-2023
https://doi.org/10.1016/j.iot.2023.100959
Caserio CLonetti FMarchetti E(2022)A Formal Validation Approach for XACML 3.0 Access Control PolicySensors10.3390/s2208298422:8(2984)Online publication date: 13-Apr-2022
https://doi.org/10.3390/s22082984
Penelova M(2021)Access Control ModelsCybernetics and Information Technologies10.2478/cait-2021-004421:4(77-104)Online publication date: 1-Dec-2021
https://dl.acm.org/doi/10.2478/cait-2021-0044

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten