Visible to the public Towards Greater Expressiveness, Flexibility, and Uniformity in Access Control

TitleTowards Greater Expressiveness, Flexibility, and Uniformity in Access Control
Publication TypeConference Paper
Year of Publication2018
AuthorsJiang, Jiaming, Chirkova, Rada, Doyle, Jon, Rosenthal, Arnon
Conference NameProceedings of the 23Nd ACM on Symposium on Access Control Models and Technologies
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-5666-4
Keywordsattribute-based access control, Collaboration, governance, logical models, Policy Based Governance, policy formalism, pubcrawl, security
Abstract

Attribute-based access control (ABAC) is a general access control model that subsumes numerous earlier access control models. Its increasing popularity stems from the intuitive generic structure of granting permissions based on application and domain attributes of users, subjects, objects, and other entities in the system. Multiple formal and informal languages have been developed to express policies in terms of such attributes. The utility of ABAC policy languages is potentially undermined without a properly formalized underlying model. The high-level structure in a majority of ABAC models consists of sets of tokens and sets of sets, expressions that demand that the reader unpack multiple levels of sets and tokens to determine what things mean. The resulting reduced readability potentially endangers correct expression, reduces maintainability, and impedes validation. These problems could be magnified in models that employ nonuniform representations of actions and their governing policies. We propose to avoid these magnified problems by recasting the high-level structure of ABAC models in a logical formalism that treats all actions (by users and others) uniformly and that keeps existing policy languages in place by interpreting their attributes in terms of the restructured model. In comparison to existing ABAC models, use of a logical language for model formalization, including hierarchies of types of entities and attributes, promises improved expressiveness in specifying the relationships between and requirements on application and domain attributes. A logical modeling language also potentially improves flexibility in representing relationships as attributes to support some widely used policy languages. Consistency and intelligibility are improved by using uniform means for representing different types of controlled actions--such as regular access control actions, administrative actions, and user logins--and their governing policies. Logical languages also provide a well-defined denotational semantics supported by numerous formal inference and verification tools.

URLhttps://dl.acm.org/doi/10.1145/3205977.3208950
DOI10.1145/3205977.3208950
Citation Keyjiang_towards_2018