ABAC with Group Attributes and Attribute Hierarchies Utilizing the Policy Machine

ABAC '17 Pub Date : 2017-03-24 DOI:10.1145/3041048.3041053

Smriti Bhatt, Farhan Patwa, R. Sandhu

{"title":"ABAC with Group Attributes and Attribute Hierarchies Utilizing the Policy Machine","authors":"Smriti Bhatt, Farhan Patwa, R. Sandhu","doi":"10.1145/3041048.3041053","DOIUrl":null,"url":null,"abstract":"Attribute-Based Access Control (ABAC) has received significant attention in recent years, although the concept has been around for over two decades now. Many ABAC models, with different variations, have been proposed and formalized. Besides basic ABAC models, there are models designed with additional capabilities such as group attributes, group and attribute hierarchies and so on. Hierarchical relationship among groups and attributes enhances access control flexibility and facilitates attribute management and administration. However, implementation and demonstration of ABAC models in real-world applications is still lacking. In this paper, we present a restricted HGABAC (rHGABAC) model with user and object groups and group hierarchy. We then introduce attribute hierarchies in this model. We also present an authorization architecture for implementing rHGABAC utilizing the NIST Policy Machine (PM). PM allows to define attribute-based access control policies, however, the attributes in PM are different in nature than attributes in typical ABAC models as name-value pairs. We identify a policy configuration mechanism for our proposed model employing PM capabilities, and demonstrate use cases and their configuration and implementation in PM using our authorization architecture.","PeriodicalId":349009,"journal":{"name":"ABAC '17","volume":"119 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"30","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ABAC '17","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3041048.3041053","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 30

Abstract

Attribute-Based Access Control (ABAC) has received significant attention in recent years, although the concept has been around for over two decades now. Many ABAC models, with different variations, have been proposed and formalized. Besides basic ABAC models, there are models designed with additional capabilities such as group attributes, group and attribute hierarchies and so on. Hierarchical relationship among groups and attributes enhances access control flexibility and facilitates attribute management and administration. However, implementation and demonstration of ABAC models in real-world applications is still lacking. In this paper, we present a restricted HGABAC (rHGABAC) model with user and object groups and group hierarchy. We then introduce attribute hierarchies in this model. We also present an authorization architecture for implementing rHGABAC utilizing the NIST Policy Machine (PM). PM allows to define attribute-based access control policies, however, the attributes in PM are different in nature than attributes in typical ABAC models as name-value pairs. We identify a policy configuration mechanism for our proposed model employing PM capabilities, and demonstrate use cases and their configuration and implementation in PM using our authorization architecture.

查看原文本刊更多论文

利用策略机的具有组属性和属性层次结构的ABAC

基于属性的访问控制(ABAC)近年来受到了极大的关注，尽管这个概念已经存在了二十多年。许多ABAC模型，有不同的变化，已经提出和形式化。除了基本的ABAC模型之外，还有一些模型被设计为具有附加功能，如组属性、组和属性层次结构等。组和属性之间的层次关系增强了访问控制的灵活性，方便了属性的管理和管理。然而，ABAC模型在实际应用中的实现和演示仍然缺乏。本文提出了一种具有用户和对象组以及组层次结构的受限HGABAC (rHGABAC)模型。然后我们在这个模型中引入属性层次结构。我们还提出了利用NIST策略机(PM)实现rHGABAC的授权体系结构。PM允许定义基于属性的访问控制策略，但是，PM中的属性在本质上不同于典型ABAC模型中的属性，即名称-值对。我们为采用PM功能的建议模型确定策略配置机制，并使用我们的授权体系结构在PM中演示用例及其配置和实现。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ABAC '17

自引率

0.00%

发文量