Inference Rules for Determined Decisions in Policy-Based ABAC Enforcement Systems

Abstract

Attribute-based access control (ABAC) model manages access to resources by policies. Incoming requests must satisfy some policy to be permitted to execute. Polices and requests are based on attributes, which are basic elements for constructing four components of each one, including Subject, Environment, Resource and Action. In XACML standard, for a given request the response can be one of the following values: Permit, Deny, Not Applicable and Indeterminate. The two last values are not decisive, bring no value to the requesters. We focus on the requests received Not Applicable in this article. Modifying the polices individually or rewriting the request by reducing the resource from the original one are solutions of existing studies. We theoretically introduce inference rules, which are applied to the policy set for computing the closure of it to evaluate whether the request is responded with firmed decision of permit or deny. Our proposals guide the security administrators in building the policy set satisfying an important property called completeness - the ability to be able to give determined responses to all the possible legal requests in the real world. In addition, we find out other necessary properties of the policy set and suggest the algorithms for ensuring some of them.