HGABAC: Towards a Formal Model of Hierarchical Attribute-Based Access Control

  • Daniel ServosEmail author
  • Sylvia L. Osborn
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8930)


Attribute-based access control (ABAC) is a promising alternative to traditional models of access control (i.e. discretionary access control (DAC), mandatory access control (MAC) and role-based access control (RBAC)) that is drawing attention in both recent academic literature and industry application. However, formalization of a foundational model of ABAC and large scale adoption are still lacking. This paper seeks to aid in the transition by providing a formal model of hierarchical ABAC, called Hierarchical Group and Attribute-Based Access Control (or HGABAC), which includes attribute inheritance through user and object groups as well as environment, connection and administrative attributes. A formal specification and an attribute-based policy language are provided. Finally, several example configurations (which demonstrate the versatility of the model) are presented and evaluated.


  1. 1.
    Bell, D., Padula, L.: Secure Computer Systems: Mathematical Foundations and Model. Mitre, Bedford (1974)Google Scholar
  2. 2.
    Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: IEEE Symposium on Security and Privacy, SP 2007, pp. 321–334. IEEE (2007)Google Scholar
  3. 3.
    Chandran, S.M., Joshi, J.B.D.: LoT-RBAC: a location and time-based RBAC model. In: Ngu, A.H.H., Kitsuregawa, M., Neuhold, E.J., Chung, J.-Y., Sheng, Q.Z. (eds.) WISE 2005. LNCS, vol. 3806, pp. 361–375. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  4. 4.
    Chen, L., Crampton, J.: Risk-aware role-based access control. In: Meadows, C., Fernandez-Gago, C. (eds.) STM 2011. LNCS, vol. 7170, pp. 140–156. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  5. 5.
    Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19(5), 236–243 (1976)CrossRefzbMATHMathSciNetGoogle Scholar
  6. 6.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 4(3), 224–274 (2001)CrossRefGoogle Scholar
  7. 7.
    Godik, S., Anderson, A., Parducci, B., Humenn, P., Vajjhala, S.: OASIS extensible access control 2 markup language (XACML) 3. Technical report, OASIS (2002)Google Scholar
  8. 8.
    Jin, X., Krishnan, R., Sandhu, R.: A unified attribute-based access control model covering DAC, MAC and RBAC. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 41–55. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  9. 9.
    Kleene, S.C.: On notation for ordinal numbers. J. Symb. Log. 3(4), 150–155 (1938)CrossRefMathSciNetGoogle Scholar
  10. 10.
    Kuhn, D.R., Coyne, E.J., Weil, T.R.: Adding attributes to role-based access control. IEEE Comput. 43(6), 79–81 (2010)CrossRefGoogle Scholar
  11. 11.
    Lampson, B.W.: Protection. ACM SIGOPS Oper. Syst. Rev. 8(1), 18–24 (1974)CrossRefGoogle Scholar
  12. 12.
    Lang, B., Foster, I., Siebenlist, F., Ananthakrishnan, R., Freeman, T.: A flexible attribute based access control method for grid computing. J. Grid Comput. 7(2), 169–180 (2009)CrossRefGoogle Scholar
  13. 13.
    Osborn, S., Sandhu, R., Munawer, Q.: Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Secur. (TISSEC) 3(2), 85–106 (2000)CrossRefGoogle Scholar
  14. 14.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)CrossRefGoogle Scholar
  15. 15.
    Servos, D.: A role and attribute based encryption approach to privacy and security in cloud based health services. Master’s thesis, Lakehead University (2012)Google Scholar
  16. 16.
    Servos, D., Mohammed, S., Fiaidhi, J., Kim, T.-H.: Extensions to ciphertext-policy attribute-based encryption to support distributed environments. Int. J. Comput. Appl. Technol. 47(2), 215–226 (2013)CrossRefGoogle Scholar
  17. 17.
    Shen, H.-B., Hong,F.: An attribute-based access control model for web services. In: Seventh International Conference on Parallel and Distributed Computing, Applications and Technologies, PDCAT 2006, pp. 74–79. IEEE (2006)Google Scholar
  18. 18.
    Wang, L., Wijesekera, D., Jajodia,S.: A logic-based framework for attribute based access control. In Proceedings of the 2004 ACM Workshop on Formal Methods in Security Engineering, pp. 45–55. ACM (2004)Google Scholar
  19. 19.
    Yuan, E., Tong, J.: Attributed based access control (ABAC) for web services. In: Proceedings of the 2005 IEEE International Conference on Web Services, ICWS 2005. IEEE (2005)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Department of Computer ScienceWestern UniversityLondonCanada

Personalised recommendations