Label-Based Access Control: An ABAC Model with Enumerated Authorization Policy

There are two major techniques for specifying authorization policies in Attribute Based Access Control (ABAC) models. The more conventional approach is to define policies by using logical formulas involving attribute values. Examples in this category include ABAC, HGABAC and XACML. The alternate technique for expressing policies is by enumeration. Policy Machine (PM) and 2-sorted-RBAC fall into the later category. In this paper, we present an ABAC model named LaBAC (Label-Based Access Control) which adopts the enumerated style for expressing authorization policies. LaBAC can be viewed as a particularly simple instance of the PolicyMachine. LaBAC uses one user attribute (uLabel) and one object attribute (oLabel). An authorization policy in LaBAC for an action is an enumeration using these two attributes. Thus, LaBAC can be considered as a bare minimum ABAC model. We show equivalence of LaBAC and 2-sorted-RBAC with respect to theoretical expressive power. Furthermore, we show how to configure the traditional RBAC (Role-Based Access Control) and LBAC (Lattice-Based Access Control) models in LaBAC to illustrate its expressiveness.

[1]  Vijayalakshmi Atluri,et al.  The Policy Machine: A novel architecture and framework for access control policy specification and enforcement , 2011, J. Syst. Archit..

[2]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[3]  Xin Jin,et al.  A role-based administration model for attributes , 2012, SRAS '12.

[4]  Mary Ellen Zurko,et al.  Separation of duty in role-based environments , 1997, Proceedings 10th Computer Security Foundations Workshop.

[5]  Ravi S. Sandhu,et al.  A model for attribute-based user-role assignment , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[6]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[7]  Jin Tong,et al.  Attributed based access control (ABAC) for Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[8]  Xin Jin,et al.  A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC , 2012, DBSec.

[9]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[10]  Sylvia L. Osborn,et al.  HGABAC: Towards a Formal Model of Hierarchical Attribute-Based Access Control , 2014, FPS.

[11]  Ravi S. Sandhu,et al.  Lattice-based access control models , 1993, Computer.

[12]  D. Richard Kuhn,et al.  Attribute-Based Access Control , 2017, Computer.

[13]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[14]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[15]  Fan Hong,et al.  An Attribute-Based Access Control Model for Web Services , 2006, PDCAT.

[16]  Ian T. Foster,et al.  A Flexible Attribute Based Access Control Method for Grid Computing , 2008, Journal of Grid Computing.

[17]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[18]  D. Richard Kuhn,et al.  Adding Attributes to Role-Based Access Control , 2010, Computer.

[19]  Wouter Kuijper,et al.  Sorting out role based access control , 2014, SACMAT '14.

[20]  Sushil Jajodia,et al.  A logic-based framework for attribute based access control , 2004, FMSE '04.

[21]  Karen A. Scarfone,et al.  Guidelines for Access Control System Evaluation Metrics , 2012 .

[22]  Ninghui Li,et al.  Comparing the expressive power of access control models , 2004, CCS '04.

[23]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.