Policy Adaptation in Attribute-Based Access Control for Inter-Organizational Collaboration

Abstract

In Attribute-Based Access Control (ABAC), attributes are defined as characteristics of subjects, objects as well as environment, and access is granted or denied based on the values of these attributes. With increasing number of organizations showing interest in migrating to ABAC, it is imperative that algorithmic techniques be developed to facilitate the process. While the traditional ABAC policy mining approaches support the development of an ABAC policy from existing Discretionary Access Control (DAC) or Role-Based Access Control (RBAC) systems, they do not handle adaptation to the policy of a similar organization. As the policy itself need not be developed ab initio in this process, it provides agility and a faster migration path, especially for organizations participating in collaborative sharing of data. With the set of objects and their attributes given, along with an access control policy to be adapted to, the problem is to determine an optimal assignment of attributes to subjects so that a set of desired accesses can be granted. Here, optimality is in the number of ABAC rules the subjects would require to use to gain access to various objects. Such an approach not only helps in assisting collaboration between organizations, but also ensures efficient evaluation of rules during policy enforcement. We show that the optimal policy adaptation problem is NP-Complete and present a heuristic solution.