Attribute-Aware Relationship-Based Access Control for Online Social Networks

  • Yuan Cheng
  • Jaehong Park
  • Ravi Sandhu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8566)


Relationship-based access control (ReBAC) has been adopted as themost prominent approach for access control in online social networks (OSNs), where authorization policies are typically specified in terms of relationships of certain types and/or depth between the access requester and the target. However, using relationships alone is often not sufficient to enforce various security and privacy requirements that meet the expectation fromtoday’sOSN users. In thiswork, we integrate attribute-based policies into relationship-based access control. The proposed attribute-aware Re- BAC enhances access control capability and allows finer-grained controls that are not available in ReBAC. The policy specification language for the user-to-user relationship-based access control (UURAC) model proposed in [6] is extended to enable such attribute-aware access control. We also present an enhanced path-checking algorithm to determine the existence of the required attributes and relationships in order to grant access.


Access Control Attribute Social Networks 


  1. 1.
    Bruns, G., Fong, P.W., Siahaan, I., Huth, M.: Relationship-based access control: its expression and enforcement through hybrid logic. In: Proceedings of the Second CODASPY, pp. 117–124. ACM (2012)Google Scholar
  2. 2.
    Carminati, B., Ferrari, E., Heatherly, R., Kantarcioglu, M., Thuraisingham, B.: A semantic web based framework for social network access control. In: Proceedings of the 14th SACMAT, pp. 177–186. ACM (2009)Google Scholar
  3. 3.
    Carminati, B., Ferrari, E., Perego, A.: Rule-based access control for social networks. In: Meersman, R., Tari, Z., Herrero, P. (eds.) OTM 2006 Workshops. LNCS, vol. 4278, pp. 1734–1744. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Carminati, B., Ferrari, E., Perego, A.: Enforcing access control in web-based social networks. ACM TISSEC 13(1), 6 (2009)CrossRefGoogle Scholar
  5. 5.
    Cheng, Y., Park, J., Sandhu, R.: Relationship-based access control for online social networks: beyond user-to-user relationships. In: PASSAT 2012, pp. 646–655. IEEE (2012)Google Scholar
  6. 6.
    Cheng, Y., Park, J., Sandhu, R.: A user-to-user relationship-based access control model for online social networks. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 8–24. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  7. 7.
    Fong, P.W.: Relationship-based access control: protection model and policy language. In: Proceedings of the First CODASPY, pp. 191–202. ACM (2011)Google Scholar
  8. 8.
    Fong, P.W.L., Anwar, M., Zhao, Z.: A privacy preservation model for facebook-style social network systems. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 303–320. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Fong, P.W., Siahaan, I.: Relationship-based access control policies and their policy languages. In: Proceedings of the 16th SACMAT, pp. 51–60. ACM (2011)Google Scholar
  10. 10.
    Gates, C.: Access control requirements for Web 2.0 security and privacy. IEEE Web 2.0 (2007)Google Scholar
  11. 11.
    Golbeck, J., Hendler, J.: Inferring binary trust relationships in web-based social networks. ACM Transactions on Internet Technology (TOIT) 6(4), 497–529 (2006)CrossRefGoogle Scholar
  12. 12.
    Golbeck, J.A.: Computing and Applying Trust in Web-based Social Networks. PhD thesis, University of Maryland at College Park, College Park, MD, USA (2005)Google Scholar
  13. 13.
    Jin, X., Krishnan, R., Sandhu, R.: A unified attribute-based access control model covering DAC, MAC and RBAC. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 41–55. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  14. 14.
    Kruk, S.R., Grzonkowski, S., Gzella, A., Woroniecki, T., Choi, H.-C.: D-FOAF: Distributed identity management with access rights delegation. In: Mizoguchi, R., Shi, Z.-Z., Giunchiglia, F. (eds.) ASWC 2006. LNCS, vol. 4185, pp. 140–154. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Masoumzadeh, A., Joshi, J.: OSNAC: an ontology-based access control model for social networking systems. In: SocialCom 2010, pp. 751–759. IEEE (2010)Google Scholar
  16. 16.
    Park, J., Sandhu, R., Cheng, Y.: ACON: activity-centric access control for social computing. In: 2011 Sixth International Conference on Availability, Reliability and Security (ARES), pp. 242–247. IEEE (2011)Google Scholar
  17. 17.
    Park, J., Sandhu, R., Cheng, Y.: A user-activity-centric framework for access control in online social networks. IEEE Internet Computing 15(5), 62–65 (2011)CrossRefGoogle Scholar
  18. 18.
    Shen, H., Hong, F.: An attribute-based access control model for web services. In: PDCAT 2006, pp. 74–79. IEEE (2006)Google Scholar
  19. 19.
    Yuan, E., Tong, J.: Attributed based access control (ABAC) for web services. In: Proceedings of the IEEE ICWS, pp. 561–569. IEEE (2005)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2014

Authors and Affiliations

  • Yuan Cheng
    • 1
  • Jaehong Park
    • 1
  • Ravi Sandhu
    • 1
  1. 1.Institute for Cyber SecurityUniversity of Texas at San AntonioUSA

Personalised recommendations