From Access Control Models to Access Control Metamodels: A Survey

Access control (AC) is a computer security requirement used to control, in a computing environment, what the user can access, when and how. Policy administration is an essential feature of an AC system. As the number of computers are in hundreds of millions, and due to the different organization requirements, applications and needs, various AC models are presented in literature, such as: Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role Based Access Control (RBAC), etc. These models are used to implement organizational policies that prevent the unauthorized disclosure of sensitive data, protecting the data integrity, and enabling secure access and sharing of information. Each AC model has its own methods for making AC decisions and policy enforcement. However, due to the diversity of AC models and the various concerns and restrictions, its essential to find AC metamodels with higher level of abstraction. Access control metamodels serve as a unifying framework for specifying any AC policy and should ease the migration from an AC model to another. This study reviews existing works on metamodels descriptions and representations. But, are the presented metamodels sufficient to handle the needed target of controlling access especially in the presence of the current information technologies? Do they encompass all features of other AC models? In this paper we are presenting a survey on AC metamodels.

[1]  Mark Rhodes-Ousley Information Security / The Complete Reference , 2013 .

[2]  Nora Cuppens-Boulahia,et al.  A model-driven approach for the extraction of network access-control policies , 2012, MDsec '12.

[3]  Antonio Iera,et al.  The Internet of Things: A survey , 2010, Comput. Networks.

[4]  Selim G. Akl,et al.  A Presentation of Access Control Methods , 2010 .

[5]  Jordi Cabot,et al.  On Lightweight Metamodel Extension to Support Modeling Tools Agility , 2015, ECMFA.

[6]  Chang Nian Zhang,et al.  Designing a Complete Model of Role-based Access Control System for Distributed Networks , 2002, J. Inf. Sci. Eng..

[7]  Jason Crampton,et al.  On permissions, inheritance and role hierarchies , 2003, CCS '03.

[8]  Sabrina De Capitani di Vimercati,et al.  Access control: principles and solutions , 2003, Softw. Pract. Exp..

[9]  Gabor Karsai,et al.  Metamodelling - State of the Art and Research Challenges , 2007, Model-Based Engineering of Embedded Real-Time Systems.

[10]  D. Richard Kuhn,et al.  Adding Attributes to Role-Based Access Control , 2010, Computer.

[11]  András Belokosztolszki,et al.  Role-based access control policy administration , 2004 .

[12]  Bingsheng He,et al.  Access Control in Cloud Computing , 2015 .

[13]  Mathias Ekstedt,et al.  Modeling Enterprise Authorization: A Unified Metamodel and Initial Validation , 2016, Complex Syst. Informatics Model. Q..

[14]  Luigi Logrippo,et al.  A Metamodel for Hybrid Access Control Policies , 2015, J. Softw..

[15]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[16]  D. Richard Kuhn,et al.  Attribute-Based Access Control , 2017, Computer.

[17]  Matt Bishop Introduction to Computer Security , 2004 .

[18]  Ram Krishnan,et al.  Integrating Attributes into Role-Based Access Control , 2015, DBSec.

[19]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[20]  Clara Bertolissi,et al.  A metamodel of access control for distributed environments: Applications and properties , 2014, Inf. Comput..

[21]  Soorat Hussain Access Control in Cloud Computing Environment , 2014 .

[22]  Jing Liu,et al.  Authentication and Access Control in the Internet of Things , 2012, 2012 32nd International Conference on Distributed Computing Systems Workshops.

[23]  Ram Krishnan,et al.  Attributes Enhanced Role-Based Access Control Model , 2015, TrustBus.

[24]  Nora Cuppens-Boulahia,et al.  Towards an Access-Control Metamodel for Web Content Management Systems , 2013, ICWE Workshops.

[25]  Christian Emig,et al.  An Access Control Metamodel for Web Service-Oriented Architecture , 2007, International Conference on Software Engineering Advances (ICSEA 2007).