ABSTRACT
Attribute-based access control (ABAC) has attracted considerable interest in recent years, prompting the development of the standardized XML-based language XACML. ABAC policies written in languages like XACML have a tree-like structure, where leaf nodes are associated with authorization decisions and non-leaf nodes are associated with decision-combining algorithms. However, it may be difficult in XACML to construct a given policy due to the tree-structured nature of XACML and the way in which combining algorithms are defined. Furthermore, there is limited control over how requests are evaluated with respect to targets.
In this paper, we introduce the notion of an attribute expression, which generalizes the notion of a target, and show how attribute expressions are used to specify policies in tabular form. We demonstrate why representing policies in this manner is convenient, intuitive and flexible for policy authors, and provide a method for automatically compiling policy tables into machine-enforceable policies. Thus, we bridge the gap between a policy representation that is convenient for end-users and a policy that can be enforced by a PDP. We then describe various methods to reduce the size of policy tables.
In addition, we compare our language with XACML, highlighting various shortcomings of XACML and demonstrating how to express XACML policies in a tabular form. We then show how policy tables can be used as leaf nodes in a tree-structured language, providing a modular method for constructing enterprise-wide policies. Finally, we show how attribute expressions and policy tables can be used to make role-based access control and access control lists "attribute-aware".
- Mohammad A. Al-Kahtani and Ravi S. Sandhu. 2002. A Model for Attribute-Based User-Role Assignment. In 18th Annual Computer Security Applications Conference (ACSAC 2002), 9-13 December 2002, Las Vegas, NV, USA. IEEE Computer Society, 353--362. Google ScholarDigital Library
- Eric Allender, Lisa Hellerstein, Paul McCabe, Toniann Pitassi, and Michael E. Saks. 2006. Minimizing DNF Formulas and AC0 Circuits Given a Truth Table. In 21st Annual IEEE Conference on Computational Complexity (CCC 2006), 16-20 July 2006, Prague, Czech Republic. IEEE Computer Society, 237--251. Google ScholarDigital Library
- Ofer Arieli and Arnon Avron. 1998. The Value of the Four Values. Artif. Intell. 102, 1 (1998), 97--141. Google ScholarDigital Library
- Nuel D. Belnap Jr. 1977. A useful four-valued logic. In Modern uses of multiplevalued logic. Springer, 5--37.Google Scholar
- Glenn Bruns and Michael Huth. 2011. Access control via Belnap logic: Intuitive, expressive, and analyzable policy composition. ACM Trans. Inf. Syst. Secur. 14, 1 (2011), 9. Google ScholarDigital Library
- Jason Crampton and Charles Morisset. 2012. PTaCL: A Language for AttributeBased Access Control in Open Systems. In Principles of Security and Trust - First International Conference, POST 2012, Proceedings, Pierpaolo Degano and Joshua D. Guttman (Eds.). Lecture Notes in Computer Science, Vol. 7215. Springer, 390--409. Google ScholarDigital Library
- Jason Crampton and Conrad Williams. 2016. On Completeness in Languages for Attribute-Based Access Control. In Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies, SACMAT 2016, Shanghai, China, June 5-8, 2016, X. Sean Wang, Lujo Bauer, and Florian Kerschbaum (Eds.). ACM, 149--160. Google ScholarDigital Library
- Jason Crampton and Conrad Williams. 2017. Canonical Completeness in LatticeBased Languages for Attribute-Based Access Control. CoRR abs/1702.04173 (2017). http://arxiv.org/abs/1702.04173 To appear in the Proceedings of CODASPY 2017; pre-print available at http://arxiv.org/abs/1702.04173. Google ScholarDigital Library
- William H. Jobe. 1962. Functional Completeness and Canonical Forms in ManyValued Logics. J. Symb. Log. 27, 4 (1962), 409--422.Google ScholarCross Ref
- Srdjan Marinovic, Naranker Dulay, and Morris Sloman. 2014. Rumpole: An Introspective Break-Glass Access Control Language. ACM Trans. Inf. Syst. Secur. 17, 1 (2014), 2:1--2:32. Google ScholarDigital Library
- Erik Rissanen. 2012. eXtensible Access Control Markup Language (XACML) Version 3.0 OASIS Standard. (2012). http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-os-en.html.Google Scholar
- Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman. 1996. Role-Based Access Control Models. IEEE Computer 29, 2 (1996), 38--47. Google ScholarDigital Library
- Petar Tsankov, Srdjan Marinovic, Mohammad Torabi Dashti, and David A. Basin. 2014. Decentralized Composite Access Control. In POST (Lecture Notes in Computer Science), Vol. 8414. Springer, 245--264.Google Scholar
Index Terms
- Attribute Expressions, Policy Tables and Attribute-Based Access Control
Recommendations
Towards a Top-down Policy Engineering Framework for Attribute-based Access Control
SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and TechnologiesAttribute-based access control (ABAC) is a logical access control methodology where authorization to perform a set of operations is based on attributes of the user, the objects being accessed, the environment, and a number of other attribute sources ...
Mining Positive and Negative Attribute-Based Access Control Policy Rules
SACMAT '18: Proceedings of the 23nd ACM on Symposium on Access Control Models and TechnologiesMining access control policies can reduce the burden of adopting more modern access control models by automating the process of generating policies based on existing authorization information in a system. Previous work in this area has focused on mining ...
On Completeness in Languages for Attribute-Based Access Control
SACMAT '16: Proceedings of the 21st ACM on Symposium on Access Control Models and TechnologiesAttribute-based access control (ABAC) has attracted considerable interest in recent years, resulting in an extensive literature on the subject, including the standardized XML-based language XACML. ABAC policies written in languages like XACML have a ...
Comments