Skip to main content

HoBAC: fundamentals, principles, and policies


Access Control (AC) is a critical and challenging security aspect within an IT infrastructure. Different AC models have been proposed to define AC policies that dictate the conditions under which a resource may be accessed by a subject. Attribute- Based Access Control (ABAC) is one of the most promising of those models and has received meaningful attention in recent years. Higher-order Attribute-Based Access Control (HoBAC) is a new AC model we recently proposed as a generalization of ABAC that offers more flexibility when designing AC policies. In this paper, theoretical foundations of HoBAC are further developed and an Access Control System (ACS) and an AC policy framework are presented. An application example related to the Internet of Things (IoT) is used to illustrate the different concepts of HoBAC.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10


  1. In this work, without loss of generality, the term context will be used to refer to the environment

  2. \({\mathcal {F}}_f\): function that does not depend on any other \({\mathcal {S}}\)-Structure type. We call it a final function.

  3. CoDom(F): codomain of F.

  4. \({\mathcal {R}}\): universe of references

  5. \(\lceil F \rceil \) represents a reference to F and its dual operator \(\lfloor \rfloor \) evaluates the referenced function.

  6. \({\mathcal {P}}(X)\) represents the powerset of the set X

  7. Special case: if \([A_{2}]_{U_A} = [A_{1}]_{U_A}\) then \(A_{1}\) is said equivalent to \(A_{2}\)

  8. x[i]: the element at position i in the list x

  9. |x|: cardinality of the list x

  10. Having the same position in the lists (the list of the entities’ attributes and the list of the entity types’ attribute types)

  11. Special case: if \([E_{2}]_{U_E} = [E_{1}]_{U_E}\) then \(E_{1}\) is said equivalent to \(E_{2}\)

  12. They may play the role of objects or subjects or both depending on the setting and use case.

  13. Policy enforcer: set of algorithms and mechanisms that enforce an AC policy.

  14. \(\{s,o,a,ac\}\) are called the category of entity types.

  15. The strategy may be a simple strategy or a composed strategy that is built upon other strategies.

  16. \(U_{cds}\): Universe of conditions that may be applied to attributes

  17. Coverage relationships are introduced in Sect. 4.3.3

  18. \(ats \models cd_s\): all conditions \(cd_s\) are satisfied by the attributes ats

  19. Special case: if \(({\mathcal {C}}^{r}(r_2) \subseteq {\mathcal {C}}^{r}(r_1))\) and that \(r_1.d = r_2.d\) then \(r_{1}\) is equivalent to \(r_{2}\), noted \(r_1 \equiv r_2\).

  20. The components of a capability \(ab = \langle s_o, s_a, s_{ac},d\rangle \) are referred to as \(ab.s_o, ab.s_a, s_{ac}\) and ab.d respectively.

  21. Two capabilities are contradictory if they cover in common at least one object, action and context and a different decision value (set to Deny in one and to Allow in the other)


  • Adda M, Abdelaziz J, Mcheick H, Saad R (2015) Toward an access control model for iotcollab. In: Proceedings of the 6th international conference on ambient systems, networks and technologies (ANT 2015), the 5th international conference on sustainable energy information technology (SEIT-2015), London, June 2–5, 2015, pp 428–435.

  • Alam M, Emmanuel N, Khan T, Xiang Y, Hassan H (2018) Garbled role-based access control in the cloud. J Ambient Intell Humaniz Comput 9(4):1153–1166.

    Article  Google Scholar 

  • Aliane L, Adda M (2019) Hobac: toward a higher-order attribute-based access control model. Procedia Computer Science 155:303 – 310. The 16th International Conference on Mobile Systems and Pervasive Computing (MobiSPC 2019),The 14th International Conference on Future Networks and Communications (FNC-2019),The 9th International Conference on Sustainable Energy Information Technology.,

  • Alshehri A, Sandhu R (2017) Access control models for virtual object communication in cloud-enabled iot. In: 2017 IEEE international conference on information reuse and integration (IRI), pp 16–25.

  • Barkley J (1997) Comparing simple role based access control models and access control lists. In: Proceedings of the second ACM workshop on role-based access control. ACM, New York, RBAC ’97, pp 127–132.

  • Bertino E, Bonatti PA, Ferrari E (2001) TRBAC: a temporal role-based access control model. ACM Trans Inf Syst Secur 4(3):191–233.

    Article  Google Scholar 

  • Bhatt S, Patwa F, Sandhu R (2017) Abac with group attributes and attribute hierarchies utilizing the policy machine. In: Proceedings of the 2nd ACM workshop on attribute-based access control. ACM, New York, ABAC ’17, pp 17–28.

  • Cruz JP, Kaji Y, Yanai N (2018) RBAC-SC: role-based access control using smart contract. IEEE Access 6:12240–12251.

    Article  Google Scholar 

  • Dong Y, Wan K, Huang X, Yue Y (2018) Contexts-states-aware access control for internet of things. In: 2018 IEEE 22nd international conference on computer supported cooperative work in design (CSCWD), pp 666–671.

  • Hassija V, Chamola V, Saxena V, Jain D, Goyal P, Sikdar B (2019) A survey on iot security: application areas, security threats, and solution architectures. IEEE Access 7:82721–82743.

    Article  Google Scholar 

  • Hu VC, Kuhn DR, Ferraiolo DF, Voas J (2015) Attribute-based access control. Computer 48(2):85–88.

    Article  Google Scholar 

  • Hu K, Cai G, Shen C (2016/04) An enhanced access control model based on trusted computing. In: 2nd International conference on advances in mechanical engineering and industrial informatics (AMEII 2016). Atlantis Press.

  • Jin X, Krishnan R, Sandhu R (2012) A unified attribute-based access control model covering dac, mac and rbac. In: Proceedings of the 26th annual IFIP WG 11.3 conference on data and applications security and privacy. Springer, Berlin, DBSec’12, pp 41–55.

  • Kalam AAE, Baida RE, Balbiani P, Benferhat S, Cuppens F, Deswarte Y, Miege A, Saurel C, Trouessin G (2003) Organization based access control. In: Proceedings POLICY 2003. IEEE 4th international workshop on policies for distributed systems and networks, pp 120–131.

  • Kuhn DR, Coyne EJ, Weil TR (2010) Adding attributes to role-based access control. Computer 43(6):79–81.

    Article  Google Scholar 

  • Layouni F, Pollet Y (2009) FI-ORBAC: a model of access control for federated identity platform. In: IADIS 2009, the international conference on information system, Barcelona., ISBN: 978-972-8924-79-9

  • Lee C, Fumagalli A (2019) Internet of things security—multilayered method for end to end data communications over cellular networks. In: 2019 IEEE 5th World Forum on Internet of Things (WF-IoT), pp 24–28.

  • Lee Y, Lim J, Jeon Y, Kim J (2015) Technology trends of access control in iot and requirements analysis. In: 2015 International conference on information and communication technology convergence (ICTC), pp 1031–1033.

  • Maia Neto AL, Pereira LY, Souza ALF, Cunha I, Oliveira BL (2018) Demo abstract: attributed-based authentication and access control for iot home devices. In: 2018 17th ACM/IEEE international conference on information processing in sensor networks (IPSN), pp 112–113.

  • Manaligod HJT, Diño MJS, Ghose S, Han J (2019) Context computing for internet of things. J Ambient Intell Humaniz Comput.

    Article  Google Scholar 

  • Meneghello F, Calore M, Zucchetto D, Polese M, Zanella A (2019) Iot: Internet of threats? A survey of practical security vulnerabilities in real iot devices. IEEE Internet of Things J 6(5):8182–8201.

    Article  Google Scholar 

  • Miraz MH, Ali M, Excell PS, Picking R (2015) A review on internet of things (iot), internet of everything (ioe) and internet of nano things (iont). In: 2015 Internet technologies and applications (ITA), pp 219–224.

  • Mitra B, Sural S, Vaidya J, Atluri V (2017) Migrating from rbac to temporal rbac. IET Inf Secur 11(5):294–300.

    Article  Google Scholar 

  • Murray WH (1993) Information security management, chap Introduction to access controls, Auerbach Publishers, pp 515–523

  • Nakamura S, Enokido T, Takizawa M (2018) A flexible read-write abortion protocol with role safety concept to prevent illegal information flow. J Ambient Intell Humaniz Comput 9(5):1415–1425.

    Article  Google Scholar 

  • Neshenko N, Bou-Harb E, Crichigno J, Kaddoum G, Ghani N (2019) Demystifying iot security: an exhaustive survey on iot vulnerabilities and a first empirical look on internet-scale iot exploitations. IEEE Commun Surv Tutor 21(3):2702–2733.

    Article  Google Scholar 

  • Pournaghi SM, Bayat M, Farjami Y (2020) MEDSBA: a novel and secure scheme to share medical data based on blockchain technology and attribute-based encryption. J Ambient Intell Humaniz Comput.

    Article  Google Scholar 

  • Sandhu RS, Samarati P (1994) Access control: principle and practice. IEEE Commun Mag 32:40–48.

    Article  Google Scholar 

  • Sandhu RS, Coyne EJ, Feinstein HL, Youman CE (1994) Role-based access control: a multi-dimensional view. In: Tenth annual computer security applications conference, pp 54–62.

  • Servos D, Osborn SL (2015) HGABAC: towards a formal model of hierarchical attribute-based access control. In: Cuppens F, Garcia-Alfaro J, Zincir Heywood N, Fong PWL (eds) Foundations and practice of security. Springer International Publishing, Cham, pp 187–204

    Chapter  Google Scholar 

  • Sicuranza M, Esposito A, Ciampi M (2015) An access control model to minimize the data exchange in the information retrieval. J Ambient Intell Humaniz Comput 6(6):741–752.

    Article  Google Scholar 

  • Singh S, Singh N (2015) Internet of things (iot): Security challenges, business opportunities reference architecture for e-commerce. In: 2015 International conference on green computing and internet of things (ICGCIoT), pp 1577–1581.

  • Xu Z, Stoller SD (2013) Mining attribute-based access control policies. vol abs/1306.2401. arXiv:1306.2401

  • Zhang G, Liu J (2011) A model of workflow-oriented attributed based access control. Int J Comput Netw Inf Secur (IJCNIS) 3:47–53

    Google Scholar 

Download references


We acknowledge the support of the Natural Sciences and Engineering Research Council of Canada (NSERC), 06351. Cette recherche a été financée par le Conseil de recherches en sciences naturelles et en génie du Canada (CRSNG), 06351.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Mehdi Adda.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Adda, M., Aliane, L. HoBAC: fundamentals, principles, and policies. J Ambient Intell Human Comput 11, 5927–5941 (2020).

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI:


  • IoT
  • Security
  • Access Control
  • ABAC and HoBAC