I Own, I Provide, I Decide: Generalized User-Centric Access Control Framework for Web Applications

With the rapid growth of Web 2.0 technologies, users are contributing more and more content on the Internet, in the form of user profiles, blogs, reviews, etc. With this increased sharing comes a pressing need for access control policies and mechanisms to protect the users’ privacy. Access control has remained largely centralized and under the control of the web applications hosted on their servers. Moreover, most web applications either provide no or very primitive and limited access control. We argue that the owner of any piece of data on the web should be able to decide how to control access to this data. This argument should hold not only for the web applications contributing data, but also for the contributing users. In other words, users should be able to choose their own access control models to control the sharing of their data independent of the underlying applications of their data. In this work, we present a novel framework, called xAccess, for providing generic access control that empowers users to control how they want their data to be accessed. Such a control could be in the form of user-defined access categories, or in the form of new access control models built on top of our framework. On one hand, xAccess enables individual users to use a single unified access control across multiple web applications; and on the other hand, it allows an application to support different access control models deployed by its users with a single model abstraction. We demonstrate the viability of our design by means of a platform prototype. The usability of the platform is further evaluated by developing sample applications using the xAccess APIs. Our results show that our model incurs minimum overhead in enforcing the generic access control and requires negligible changes to the application code for deployment.

[1]  Ravi S. Sandhu,et al.  How to do discretionary access control using roles , 1998, RBAC '98.

[2]  Frank Wm. Tompa,et al.  User-Managed Access Control for Health Care Systems , 2005, Secure Data Management.

[3]  Ninghui Li,et al.  Resiliency Policies in Access Control , 2009, TSEC.

[4]  Ninghui Li,et al.  On safety in discretionary access control , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[5]  Elisa Bertino,et al.  Purpose based access control of complex data for privacy protection , 2005, SACMAT '05.

[6]  Ravi S. Sandhu,et al.  Lattice-based access control models , 1993, Computer.

[7]  Andrew C. Simpson,et al.  On the need for user-defined fine-grained access control policies for social networking applications , 2008, SOSOC '08.

[8]  Alec Wolman,et al.  Lockr: social access control for web 2.0 , 2008, WOSN '08.

[9]  Messaoud Benantar,et al.  Access Control Systems: Security, Identity Management and Trust Models , 2005 .

[10]  Ninghui Li,et al.  Administration in role-based access control , 2007, ASIACCS '07.

[11]  Barbara Carminati,et al.  Enforcing access control in Web-based social networks , 2009, TSEC.

[12]  D. Richard Kuhn,et al.  Role-Based Access Control ( RBAC ) : Features and Motivations , 2014 .

[13]  Rob Johnson,et al.  More Content - Less Control: Access Control in the Web 2.0 , 2006 .

[14]  Elisa Bertino,et al.  An Authorization Model for a Distributed Hypertext System , 1996, IEEE Trans. Knowl. Data Eng..

[15]  Ye Du,et al.  Configuring RBAC to Simulate Bell Model , 2008, 2008 International Conference on Intelligent Information Hiding and Multimedia Signal Processing.

[16]  Trent Jaeger,et al.  Protecting users from "themselves" , 2007, CSAW '07.

[17]  Ben Shneiderman,et al.  Designing the User Interface: Strategies for Effective Human-Computer Interaction , 1998 .

[18]  Jianping Fan,et al.  A hierarchical access control model for video database systems , 2003, TOIS.

[19]  David R. Kuhn,et al.  Role-Based Access Control (RBAC): Features and Motivations | NIST , 1995 .

[20]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[21]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[22]  Elisa Bertino,et al.  Access control enforcement for conversation-based web services , 2006, WWW '06.

[23]  Sabrina De Capitani di Vimercati,et al.  A fine-grained access control system for XML documents , 2002, TSEC.

[24]  Ravi S. Sandhu,et al.  ROBAC: Scalable Role and Organization Based Access Control Models , 2006, 2006 International Conference on Collaborative Computing: Networking, Applications and Worksharing.

[25]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.