Authrule: A Generic Rule-Based Authorization Module

As part of the access control process an authorization decision needs to be taken based on a certain authorization model. Depending on the environment different models are applicable (e.g., RBAC in organizations, MAC in the military field). An authorization model contains all necessary elements needed for the decision (e.g., subjects, objects, and roles) as well as their relations. As these elements are usually inherent in the software architecture of an access control module, such modules limit themselves to the use of a certain specific authorization model. A later change of the model consequently results in a substantial effort for revising the software architecture of the given module. Rule-based systems are well suited to represent authorization models by mapping them to facts and rules, which can be modified in a flexible manner. In this paper we present a generic authorization module, which can take authorization decisions on the basis of arbitrary models utilizing rule-based technology. The implementation of the popular RBAC and ABAC (attribute-based access control) models is demonstrated.

[1]  Eduardo B. Fernández,et al.  A Pattern System for Access Control , 2004, DBSec.

[2]  Günther Pernul,et al.  ABAC - Ein Referenzmodell für attributbasierte Zugriffskontrolle , 2005, Sicherheit.

[3]  Timothy W. Finin,et al.  A Policy Based Approach to Security for the Semantic Web , 2003, SEMWEB.

[4]  Elisa Bertino,et al.  An authorization system for digital libraries , 2002, The VLDB Journal.

[5]  Elisa Bertino,et al.  A logical framework for reasoning about access control models , 2001, SACMAT '01.

[6]  Günther Pernul,et al.  CSAP - An Adaptable Security Module for the E-Government System Webocrat , 2003, SEC.

[7]  Jaehong Park,et al.  The UCONABC usage control model , 2004, TSEC.

[8]  Jeffrey M. Bradshaw,et al.  KAoS policy and domain services: toward a description-logic approach to policy representation, deconfliction, and enforcement , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[9]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[10]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[11]  John Mylopoulos,et al.  The Semantic Web - ISWC 2003 , 2003, Lecture Notes in Computer Science.

[12]  Elisa Bertino,et al.  A Content-Based Authorization Model for Digital Libraries , 2002, IEEE Trans. Knowl. Data Eng..