Interoperability of Relationship- and Role-Based Access Control

Abstract

Relationship-Based Access Control (ReBAC) was recently proposed as a general-purpose, application-layer access control paradigm, such that authorization decisions are based on the relationship between the access requestor and the resource owner. A first, large-scale implementation of ReBAC in an open-source medical records system was recently attempted by Rizvi et al. In this work, we extend the ReBAC model of Rizvi et al. to support fine-grained interoperability between the ReBAC model and legacy Role-Based Access Control (RBAC) models. This is achieved by the introduction of the notion of demarcations as well as an authorization-time constraint system. Also presented are the design of two authorization algorithms (one of which has an algorithmic structure akin to an SMT solver), their optimization via memoization, and the empirical evaluation of their performances.