demonstration

Demo: Attribute-Stream-Based Access Control (ASBAC) with the Streaming Attribute Policy Language (SAPL)

Author:

Dominic HeutelbeckAuthors Info & Claims

SACMAT '21: Proceedings of the 26th ACM Symposium on Access Control Models and Technologies

Pages 95 - 97

https://doi.org/10.1145/3450569.3464397

Published: 11 June 2021 Publication History

Abstract

Traditional Attribute-Based Access Control (ABAC) implementations are based on a request-response protocol resulting in one decision for one authorization request. In stateful, session-based applications this may lead to polling the policy decision point (PDP) and policy information points (PIPs) referenced by policies. This leads to the well-known trade-offs between polling frequency and latency of updates becoming known to the client. Attribute-Stream-based Access Control (ASBAC) is an authorization model employing a publish-subscribe pattern protocol where a single subscription results in a stream of decisions dynamically updating based on the streams of changing attribute values, streams of changing policies, and PDP configuration. This demonstration will show the basic architecture of ASBAC based systems, show how the model is implemented by the Streaming Attribute Policy Language (SAPL) and its engine. The SAPL engine is available as Open Source for security researchers and practitioners. First, the overall architecture of the engine will be introduced, followed by a short demo of the publish-subscribe protocol. Afterwards, several key features of SAPL are demonstrated in an authoring and administration environment. Next, a full-stack web application employing SAPL is demonstrated, showing how Policy Enforcement Points (PEPs) are established. The demonstration concludes with a demo of the SAPL tools for testing policies and calculating test metrics on policies.

References

[1]

Beate Bollig, Martin Löbbing, and Ingo Wegener. 1995. Simulated annealing to improve variable orderings for OBDDs. In Int'l Workshop on Logic Synth. Citeseer.

[2]

Franccoise Fabret, H. Arno Jacobsen, Franccois Llirbat, Jouao Pereira, Kenneth A. Ross, and Dennis Shasha. 2001. Filtering Algorithms and Implementation for Very Fast Publish/Subscribe Systems. SIGMOD Rec., Vol. 30, 2 (May 2001), 115--126. https://doi.org/10.1145/376284.375677

Digital Library

[3]

Dominic Heutelbeck. 2019 a. Attribute Stream-Based Access Control (ASBAC) - Functional Architecture and Patterns. In Proceedings of the 2019 International Conference of Security and Management (SAM'19) (2019-07--29).

[4]

Dominic Heutelbeck. 2019 b. The Structure and Agency Policy Language (SAPL) for Attribute Stream-Based Access Control (ASBAC). In Proceedings of the ETAA 2019 : 2nd International Workshop on Emerging Technologies for Authorization and Authentication.

[5]

Dominic Heutelbeck. 2021 a. SAPL Policy Engine Benchmarks Snapshot. https://github.com/heutelbeck/sapl-demos/tree/sacmat2021

[6]

Dominic Heutelbeck. 2021 b. SAPL Policy Engine Snapshot. https://github.com/heutelbeck/sapl-policy-engine/tree/sacmat2021

[7]

Vincent C. Hu, David Ferraiolo, Rick Kuhn, Adam Schnitzer, Kenneth Sandlin, Robert Miller, and Karen Scarfone. 2014. Guide to Attribute Based Access Control (ABAC) Definition and Considerations. Technical Report. National Institute of Standards and Technology. https://doi.org/10.6028/nist.sp.800--162

[8]

Donald C Latham. 1986. Department of defense trusted computer system evaluation criteria. Department of Defense (1986).

[9]

Adam J Lee and Marianne Winslett. 2008. Towards an efficient and language-agnostic compliance checker for trust negotiation systems. In Proceedings of the 2008 ACM symposium on Information, computer and communications security. 228--239.

Digital Library

[10]

Alex X Liu, Fei Chen, JeeHyun Hwang, and Tao Xie. 2008. Xengine: a fast and scalable XACML policy evaluation engine. ACM SIGMETRICS Performance Evaluation Review, Vol. 36, 1 (2008), 265--276.

Digital Library

[11]

Peter Bro Miltersen, Jaikumar Radhakrishnan, and Ingo Wegener. 2005. On converting CNF to DNF. Theoretical Computer Science, Vol. 347, 1--2 (2005), 325--335. https://doi.org/10.1016/j.tcs.2005.07.029

Digital Library

[12]

Ronit Nath, Saptarshi Das, Shamik Sural, Jaideep Vaidya, and Vijay Atluri. 2019. PolTree: A Data Structure for Making Efficient Access Decisions in ABAC. In Proceedings of the 24th ACM Symposium on Access Control Models and Technologies. 25--35.

Digital Library

[13]

Santiago Pina Ros, Mario Lischka, and Fé lix Gó mez Má rmol. 2012. Graph-based XACML Evaluation. In Proceedings of the 17th ACM Symposium on Access Control Models and Technologies (SACMAT '12). ACM, New York, NY, USA, 83--92. https://doi.org/10.1145/2295136.2295153

Digital Library

[14]

Mohammad Sadoghi and Hans-Arno Jacobsen. 2011. BE-tree: An Index Structure to Efficiently Match Boolean Expressions over High-dimensional Discrete Space. In Proceedings of the 2011 international conference on Management of data - SIGMOD '11 (SIGMOD '11). ACM, 637--648. https://doi.org/10.1145/1989323.1989390

Digital Library

[15]

Mohammad Sadoghi and Hans-Arno Jacobsen. 2013. Analysis and optimization for boolean expression indexing. ACM Transactions on Database Systems, Vol. 38, 2, Article 8 (2013), 47 pages. https://doi.org/10.1145/2487259.2487260

Digital Library

[16]

Ravi S Sandhu. 1998. Role-based access control. In Advances in computers. Vol. 46. Elsevier, 237--286.

[17]

Ingo Wegener. 2000. Branching programs and binary decision diagrams: theory and applications .SIAM.

[18]

Steven Euijong Whang, Hector Garcia-Molina, Chad Brower, Jayavel Shanmugasundaram, Sergei Vassilvitskii, Erik Vee, and Ramana Yerneni. 2009. Indexing Boolean expressions. Proceedings of the VLDB Endowment, Vol. 2, 1 (2009), 37--48. https://doi.org/10.14778/1687627.1687633

Digital Library

[19]

XACML 3.0 Committee. 2013. eXtensible Access Control Markup Language (XACML) Version 3.0. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html accessed 2019-05--10.

[20]

XACML 3.0 Committee. 2015. Abbreviated Language for Authorization Version 1.0. https://www.oasis-open.org/committees/download.php/55228/alfa-for-xacml-v1.0-wd01.doc accessed 2019-05--10.

Cited By

Chaturvedi GShirole M(2024)A Study of Attribute-Based Access Control (ABAC) Languages: A Real-World Perspective2024 International Conference on Computational Intelligence and Network Systems (CINS)10.1109/CINS63881.2024.10864398(1-9)Online publication date: 28-Nov-2024
https://doi.org/10.1109/CINS63881.2024.10864398
Penelova M(2021)Access Control ModelsCybernetics and Information Technologies10.2478/cait-2021-004421:4(77-104)Online publication date: 1-Dec-2021
https://dl.acm.org/doi/10.2478/cait-2021-0044

Index Terms

Demo: Attribute-Stream-Based Access Control (ASBAC) with the Streaming Attribute Policy Language (SAPL)
1. Security and privacy
  1. Security services
    1. Access control
    2. Authorization

Recommendations

In-Memory Policy Indexing for Policy Retrieval Points in Attribute-Based Access Control
SACMAT '21: Proceedings of the 26th ACM Symposium on Access Control Models and Technologies

Attribute-Based Access Control (ABAC) systems are using machine-readable rules for making access control decisions. Rules are collected in documents, the named policies, or policy sets. These are expressed in a specific policy language, such as XACML, ...
Attribute Expressions, Policy Tables and Attribute-Based Access Control
SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies

Attribute-based access control (ABAC) has attracted considerable interest in recent years, prompting the development of the standardized XML-based language XACML. ABAC policies written in languages like XACML have a tree-like structure, where leaf nodes ...
The Structure and Agency Policy Language (SAPL) for Attribute Stream-Based Access Control (ASBAC)
Emerging Technologies for Authorization and Authentication
Abstract
Current architectures and data flow models for access control are based on request response communication. In stateful or session-based applications monitoring access rights over time this results in polling of authorization services and for ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '21: Proceedings of the 26th ACM Symposium on Access Control Models and Technologies

June 2021

194 pages

ISBN:9781450383653

DOI:10.1145/3450569

General Chair:
Jorge Lobo
ICREA & Universitat Pompeu Fabra, Spain
,
Program Chairs:
Roberto Di Pietro
Hamad Bin Khalifa University
,
Omar Chowdhury
The University of Iowa

Copyright © 2021 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 June 2021

Check for updates

Author Tags

Qualifiers

Demonstration

Conference

SACMAT '21

Sponsor:

SIGSAC

SACMAT '21: The 26th ACM Symposium on Access Control Models and Technologies

June 16 - 18, 2021

Virtual Event, Spain

Acceptance Rates

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
115
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)1

Reflects downloads up to 27 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Chaturvedi GShirole M(2024)A Study of Attribute-Based Access Control (ABAC) Languages: A Real-World Perspective2024 International Conference on Computational Intelligence and Network Systems (CINS)10.1109/CINS63881.2024.10864398(1-9)Online publication date: 28-Nov-2024
https://doi.org/10.1109/CINS63881.2024.10864398
Penelova M(2021)Access Control ModelsCybernetics and Information Technologies10.2478/cait-2021-004421:4(77-104)Online publication date: 1-Dec-2021
https://dl.acm.org/doi/10.2478/cait-2021-0044

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten