ABAC with group attributes and attribute hierarchies utilizing the policy machine

Smriti Bhatt, Farhan Patwa, Ravi Sandhu

Research output: ResearchConference contribution

Abstract

Attribute-Based Access Control (ABAC) has received significant attention in recent years, although the concept has been around for over two decades now. Many ABAC models, with different variations, have been proposed and formalized. Besides basic ABAC models, there are models designed with additional capabilities such as group attributes, group and attribute hierarchies and so on. Hierarchical relationship among groups and attributes enhances access control flexibility and facilitates attribute management and administration. However, implementation and demonstration of ABAC models in real-world applications is still lacking. In this paper, we present a restricted HGABAC (rHGABAC) model with user and object groups and group hierarchy. We then introduce attribute hierarchies in this model. We also present an authorization architecture for implementing rHGABAC utilizing the NIST Policy Machine (PM). PM allows to define attribute-based access control policies, however, the attributes in PM are different in nature than attributes in typical ABAC models as name-value pairs. We identify a policy configuration mechanism for our proposed model employing PM capabilities, and demonstrate use cases and their configuration and implementation in PM using our authorization architecture.

LanguageEnglish (US)
Title of host publicationABAC 2017 - Proceedings of the 2nd ACM Workshop on Attribute-Based Access Control, co-located with CODASPY 2017
PublisherAssociation for Computing Machinery, Inc
Pages17-28
Number of pages12
ISBN (Electronic)9781450349109
DOIs
StatePublished - Mar 24 2017
Event2nd ACM Workshop on Attribute-Based Access Control, ABAC 2017 - Scottsdale, United States
Duration: Mar 24 2017 → …

Other

Other2nd ACM Workshop on Attribute-Based Access Control, ABAC 2017
CountryUnited States
CityScottsdale
Period3/24/17 → …

Fingerprint

Access control
Demonstrations

Keywords

  • Attribute hierarchy
  • Attribute-Based Access Control
  • Group attributes
  • Group hierarchy
  • Policy machine

ASJC Scopus subject areas

  • Information Systems
  • Computer Science Applications
  • Software

Cite this

Bhatt, S., Patwa, F., & Sandhu, R. (2017). ABAC with group attributes and attribute hierarchies utilizing the policy machine. In ABAC 2017 - Proceedings of the 2nd ACM Workshop on Attribute-Based Access Control, co-located with CODASPY 2017 (pp. 17-28). Association for Computing Machinery, Inc. DOI: 10.1145/3041048.3041053

ABAC with group attributes and attribute hierarchies utilizing the policy machine. / Bhatt, Smriti; Patwa, Farhan; Sandhu, Ravi.

ABAC 2017 - Proceedings of the 2nd ACM Workshop on Attribute-Based Access Control, co-located with CODASPY 2017. Association for Computing Machinery, Inc, 2017. p. 17-28.

Research output: ResearchConference contribution

Bhatt, S, Patwa, F & Sandhu, R 2017, ABAC with group attributes and attribute hierarchies utilizing the policy machine. in ABAC 2017 - Proceedings of the 2nd ACM Workshop on Attribute-Based Access Control, co-located with CODASPY 2017. Association for Computing Machinery, Inc, pp. 17-28, 2nd ACM Workshop on Attribute-Based Access Control, ABAC 2017, Scottsdale, United States, 3/24/17. DOI: 10.1145/3041048.3041053
Bhatt S, Patwa F, Sandhu R. ABAC with group attributes and attribute hierarchies utilizing the policy machine. In ABAC 2017 - Proceedings of the 2nd ACM Workshop on Attribute-Based Access Control, co-located with CODASPY 2017. Association for Computing Machinery, Inc. 2017. p. 17-28. Available from, DOI: 10.1145/3041048.3041053
Bhatt, Smriti ; Patwa, Farhan ; Sandhu, Ravi. / ABAC with group attributes and attribute hierarchies utilizing the policy machine. ABAC 2017 - Proceedings of the 2nd ACM Workshop on Attribute-Based Access Control, co-located with CODASPY 2017. Association for Computing Machinery, Inc, 2017. pp. 17-28
@inbook{e4edce0e3ae8402ba99bd0c4a3e5c1ad,
title = "ABAC with group attributes and attribute hierarchies utilizing the policy machine",
abstract = "Attribute-Based Access Control (ABAC) has received significant attention in recent years, although the concept has been around for over two decades now. Many ABAC models, with different variations, have been proposed and formalized. Besides basic ABAC models, there are models designed with additional capabilities such as group attributes, group and attribute hierarchies and so on. Hierarchical relationship among groups and attributes enhances access control flexibility and facilitates attribute management and administration. However, implementation and demonstration of ABAC models in real-world applications is still lacking. In this paper, we present a restricted HGABAC (rHGABAC) model with user and object groups and group hierarchy. We then introduce attribute hierarchies in this model. We also present an authorization architecture for implementing rHGABAC utilizing the NIST Policy Machine (PM). PM allows to define attribute-based access control policies, however, the attributes in PM are different in nature than attributes in typical ABAC models as name-value pairs. We identify a policy configuration mechanism for our proposed model employing PM capabilities, and demonstrate use cases and their configuration and implementation in PM using our authorization architecture.",
keywords = "Attribute hierarchy, Attribute-Based Access Control, Group attributes, Group hierarchy, Policy machine",
author = "Smriti Bhatt and Farhan Patwa and Ravi Sandhu",
year = "2017",
month = "3",
doi = "10.1145/3041048.3041053",
pages = "17--28",
booktitle = "ABAC 2017 - Proceedings of the 2nd ACM Workshop on Attribute-Based Access Control, co-located with CODASPY 2017",
publisher = "Association for Computing Machinery, Inc",

}

TY - CHAP

T1 - ABAC with group attributes and attribute hierarchies utilizing the policy machine

AU - Bhatt,Smriti

AU - Patwa,Farhan

AU - Sandhu,Ravi

PY - 2017/3/24

Y1 - 2017/3/24

N2 - Attribute-Based Access Control (ABAC) has received significant attention in recent years, although the concept has been around for over two decades now. Many ABAC models, with different variations, have been proposed and formalized. Besides basic ABAC models, there are models designed with additional capabilities such as group attributes, group and attribute hierarchies and so on. Hierarchical relationship among groups and attributes enhances access control flexibility and facilitates attribute management and administration. However, implementation and demonstration of ABAC models in real-world applications is still lacking. In this paper, we present a restricted HGABAC (rHGABAC) model with user and object groups and group hierarchy. We then introduce attribute hierarchies in this model. We also present an authorization architecture for implementing rHGABAC utilizing the NIST Policy Machine (PM). PM allows to define attribute-based access control policies, however, the attributes in PM are different in nature than attributes in typical ABAC models as name-value pairs. We identify a policy configuration mechanism for our proposed model employing PM capabilities, and demonstrate use cases and their configuration and implementation in PM using our authorization architecture.

AB - Attribute-Based Access Control (ABAC) has received significant attention in recent years, although the concept has been around for over two decades now. Many ABAC models, with different variations, have been proposed and formalized. Besides basic ABAC models, there are models designed with additional capabilities such as group attributes, group and attribute hierarchies and so on. Hierarchical relationship among groups and attributes enhances access control flexibility and facilitates attribute management and administration. However, implementation and demonstration of ABAC models in real-world applications is still lacking. In this paper, we present a restricted HGABAC (rHGABAC) model with user and object groups and group hierarchy. We then introduce attribute hierarchies in this model. We also present an authorization architecture for implementing rHGABAC utilizing the NIST Policy Machine (PM). PM allows to define attribute-based access control policies, however, the attributes in PM are different in nature than attributes in typical ABAC models as name-value pairs. We identify a policy configuration mechanism for our proposed model employing PM capabilities, and demonstrate use cases and their configuration and implementation in PM using our authorization architecture.

KW - Attribute hierarchy

KW - Attribute-Based Access Control

KW - Group attributes

KW - Group hierarchy

KW - Policy machine

UR - http://www.scopus.com/inward/record.url?scp=85018182320&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85018182320&partnerID=8YFLogxK

U2 - 10.1145/3041048.3041053

DO - 10.1145/3041048.3041053

M3 - Conference contribution

SP - 17

EP - 28

BT - ABAC 2017 - Proceedings of the 2nd ACM Workshop on Attribute-Based Access Control, co-located with CODASPY 2017

PB - Association for Computing Machinery, Inc

ER -