Towards Greater Expressiveness, Flexibility, and Uniformity in Access Control
Title | Towards Greater Expressiveness, Flexibility, and Uniformity in Access Control |
Publication Type | Conference Paper |
Year of Publication | 2018 |
Authors | Jiang, Jiaming, Chirkova, Rada, Doyle, Jon, Rosenthal, Arnon |
Conference Name | Proceedings of the 23Nd ACM on Symposium on Access Control Models and Technologies |
Publisher | ACM |
Conference Location | New York, NY, USA |
ISBN Number | 978-1-4503-5666-4 |
Keywords | attribute-based access control, Collaboration, governance, logical models, Policy Based Governance, policy formalism, pubcrawl, security |
Abstract | Attribute-based access control (ABAC) is a general access control model that subsumes numerous earlier access control models. Its increasing popularity stems from the intuitive generic structure of granting permissions based on application and domain attributes of users, subjects, objects, and other entities in the system. Multiple formal and informal languages have been developed to express policies in terms of such attributes. The utility of ABAC policy languages is potentially undermined without a properly formalized underlying model. The high-level structure in a majority of ABAC models consists of sets of tokens and sets of sets, expressions that demand that the reader unpack multiple levels of sets and tokens to determine what things mean. The resulting reduced readability potentially endangers correct expression, reduces maintainability, and impedes validation. These problems could be magnified in models that employ nonuniform representations of actions and their governing policies. We propose to avoid these magnified problems by recasting the high-level structure of ABAC models in a logical formalism that treats all actions (by users and others) uniformly and that keeps existing policy languages in place by interpreting their attributes in terms of the restructured model. In comparison to existing ABAC models, use of a logical language for model formalization, including hierarchies of types of entities and attributes, promises improved expressiveness in specifying the relationships between and requirements on application and domain attributes. A logical modeling language also potentially improves flexibility in representing relationships as attributes to support some widely used policy languages. Consistency and intelligibility are improved by using uniform means for representing different types of controlled actions--such as regular access control actions, administrative actions, and user logins--and their governing policies. Logical languages also provide a well-defined denotational semantics supported by numerous formal inference and verification tools. |
URL | https://dl.acm.org/doi/10.1145/3205977.3208950 |
DOI | 10.1145/3205977.3208950 |
Citation Key | jiang_towards_2018 |