Extended ReBAC Administrative Models with Cascading Revocation and Provenance Support

Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies Pub Date : 2016-06-06 DOI:10.1145/2914642.2914655

Yuan Cheng, K. Bijon, R. Sandhu

{"title":"Extended ReBAC Administrative Models with Cascading Revocation and Provenance Support","authors":"Yuan Cheng, K. Bijon, R. Sandhu","doi":"10.1145/2914642.2914655","DOIUrl":null,"url":null,"abstract":"Relationship-based access control (ReBAC) has been widely studied and applied in the domain of online social networks, and has since been extended to domains beyond social. Using ReBAC itself to manage ReBAC also becomes a natural research frontier, where we have two ReBAC administrative models proposed recently by Rizvi et al.[30] and Stoller[33]. In this paper, we extend these two ReBAC administrative models in order to apply ReBAC beyond online social networks, particularly where edges can have dependencies with each other and authorization for certain administrative operations requires provenance information. Basically, our policy specifications adopt the concepts of enabling precondition and applicability preconditions from Rizvi et al[30]. Then, we address several issues that need to be considered in order to properly execute operation effects, such as cascading revocation and integrity constraints on the relationship graph. With these extended features, we show that our administrative models can provide the administration capability of the MT-RBAC model originally designed for multi-tenant collaborative cloud systems[34].","PeriodicalId":388649,"journal":{"name":"Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2914642.2914655","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 9

Abstract

Relationship-based access control (ReBAC) has been widely studied and applied in the domain of online social networks, and has since been extended to domains beyond social. Using ReBAC itself to manage ReBAC also becomes a natural research frontier, where we have two ReBAC administrative models proposed recently by Rizvi et al.[30] and Stoller[33]. In this paper, we extend these two ReBAC administrative models in order to apply ReBAC beyond online social networks, particularly where edges can have dependencies with each other and authorization for certain administrative operations requires provenance information. Basically, our policy specifications adopt the concepts of enabling precondition and applicability preconditions from Rizvi et al[30]. Then, we address several issues that need to be considered in order to properly execute operation effects, such as cascading revocation and integrity constraints on the relationship graph. With these extended features, we show that our administrative models can provide the administration capability of the MT-RBAC model originally designed for multi-tenant collaborative cloud systems[34].

查看原文本刊更多论文

具有级联撤销和来源支持的扩展ReBAC管理模型

基于关系的访问控制(ReBAC)在在线社交网络领域得到了广泛的研究和应用，并已扩展到社交之外的领域。使用ReBAC本身来管理ReBAC也成为一个自然的研究前沿，我们有Rizvi等人[30]和Stoller[33]最近提出的两种ReBAC管理模型。在本文中，我们扩展了这两种ReBAC管理模型，以便将ReBAC应用于在线社交网络之外，特别是在边缘可以相互依赖并且某些管理操作的授权需要来源信息的情况下。我们的策略规范基本上采用了Rizvi等[30]的使能前提和适用性前提的概念。然后，我们解决了为了正确执行操作效果而需要考虑的几个问题，例如关系图上的级联撤销和完整性约束。通过这些扩展功能，我们证明了我们的管理模型可以提供最初为多租户协作云系统设计的MT-RBAC模型的管理功能[34]。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies

自引率

0.00%

发文量