Abductive Analysis of Administrative Policies in Rule-Based Access Control

In large organizations, access control policies are managed by multiple users (administrators). An administrative policy specifies how each user in an enterprise may change the policy. Fully understanding the consequences of an administrative policy in an enterprise system can be difficult, because of the scale and complexity of the access control policy and the administrative policy, and because sequences of changes by different users may interact in unexpected ways. Administrative policy analysis helps by answering questions such as user-permission reachability, which asks whether specified users can together change the policy in a way that achieves a specified goal, namely, granting a specified permission to a specified user. This paper presents a rule-based access control policy language, a rule-based administrative policy model that controls addition and removal of facts and rules, and an abductive analysis algorithm for user-permission reachability. Abductive analysis means that the algorithm can analyze policy rules even if the facts initially in the policy (e.g., information about users) are unavailable. The algorithm does this by computing minimal sets of facts that, if present in the initial policy, imply reachability of the goal.

[1]  Blair Dillaway,et al.  Abductive Authorization Credential Gathering , 2009, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks.

[2]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[3]  C. R. Ramakrishnan,et al.  Symbolic reachability analysis for parameterized administrative role based access control , 2009, SACMAT '09.

[4]  Jorge Lobo,et al.  Expressive policy analysis with enhanced system dynamicity , 2009, ASIACCS '09.

[5]  C. R. Ramakrishnan,et al.  Efficient policy analysis for administrative role based access control , 2007, CCS '07.

[6]  E. Reingold,et al.  Combinatorial Algorithms: Theory and Practice , 1977 .

[7]  Puneet Gupta,et al.  Abductive Analysis of Administrative Policies in Rule-Based Access Control , 2014, IEEE Trans. Dependable Secur. Comput..

[8]  Sebastian Nanz,et al.  The Role of Abduction in Declarative Authorization Policies , 2008, PADL.

[9]  Moritz Y. Becker Specification and Analysis of Dynamic Authorisation Policies , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[10]  Ninghui Li,et al.  Security analysis in role-based access control , 2004, SACMAT '04.

[11]  Sebastian Nanz,et al.  A logic for state-modifying authorization policies , 2007, TSEC.

[12]  Zijiang Yang,et al.  Policy analysis for administrative role based access control , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[13]  Randal E. Bryant,et al.  Concurrent programming , 1980, Operating Systems Engineering.

[14]  Ninghui Li,et al.  Towards Formal Verification of Role-Based Access Control Policies , 2008, IEEE Transactions on Dependable and Secure Computing.

[15]  Luca Viganò,et al.  Automated Analysis of Scenario-Based Specifications of Distributed Access Control Policies with Non-mechanizable Activities , 2012, STM.