An Administrative Model for Relationship-Based Access Control

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9149)


Relationship-based access control (ReBAC) originated in the context of social network systems and recently is being generalized to be suitable for general computing systems. This paper defines a ReBAC model, based on Crampton and Sellwood’s RPPM model, designed to be suitable for general computing systems. Our ReBAC model includes a comprehensive administrative model. The administrative model is comprehensive in the sense that it allows and controls changes to all aspects of the ReBAC policy. To the best of our knowledge, it is the first comprehensive administrative model for a ReBAC model suitable for general computing systems. The model is illustrated with parts of a sample access control policy for electronic health records in a healthcare network.


Target Node System Graph Access Control Policy Path Condition Path Expression 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Carminati, B., Ferrari, E., Perego, A.: Enforcing access control in Web-based social networks. ACM Trans. Inf. Syst. Secur. 13(1), 1–38 (2009)CrossRefGoogle Scholar
  2. 2.
    Cheng, Y., Park, J., Sandhu, R.: A user-to-user relationship-based access control model for online social networks. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 8–24. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  3. 3.
    Crampton, J., Sellwood, J.: Caching and auditing in the RPPM model. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 49–64. Springer, Heidelberg (2014) Google Scholar
  4. 4.
    Crampton, J., Sellwood, J.: Path conditions and principal matching: a new approach to access control. In: Proceedings of the 19th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 187–198. ACM (2014)Google Scholar
  5. 5.
    Fong, P.W.L.: Relationship-based access control: protection model and policy language. In: Proceedings of the First ACM Conference on Data and Application Security and Privacy (CODASPY), pp. 191–202. ACM (2011)Google Scholar
  6. 6.
    Fong, P.W.L., Anwar, M., Zhao, Z.: A privacy preservation model for Facebook-style social network systems. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 303–320. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  7. 7.
    Fong, P.W.L., Siahaan, I.: Relationship-based access control policies and their policy languages. In: Proceedings of the 16th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 51–60. ACM, June 2011Google Scholar
  8. 8.
    Gates, C.E.: Access control requirements for Web 2.0 security and privacy. In: IEEE Web 2.0 Security & Privacy Workshop (W2SP 2007), May 2007Google Scholar
  9. 9.
    Gupta, P.: Verification of security policy administration and enforcement in enterprise systems. Ph.D. thesis, Stony Brook University, December 2011.
  10. 10.
    Gupta, P., Stoller, S.D., Xu, Z.: Abductive analysis of administrative policies in rule-based access control. IEEE Trans. Dependable Secure Comput. 11(5), 412–424 (2014)CrossRefGoogle Scholar
  11. 11.
    Hu, H., Ahn, G.J., Jorgensen, J.: Multiparty access control for online social networks: model and mechanisms. IEEE Trans. Knowl. Data Eng. 25(7), 1614–1627 (2013)CrossRefGoogle Scholar
  12. 12.
    Li, N., Mao, Z.: Administration in role based access control. In: Proceedings of the 2nd ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS), pp. 127–138. ACM, March 2007Google Scholar
  13. 13.
    Liu, Y.A., Stoller, S.D.: Querying complex graphs. In: Van Hentenryck, P. (ed.) PADL 2006. LNCS, vol. 3819, pp. 199–214. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  14. 14.
    Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Commun. ACM 17(7), 388–402 (1974)CrossRefGoogle Scholar
  15. 15.
    Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Syst. Secur. 2(1), 105–135 (1999)CrossRefGoogle Scholar
  16. 16.
    eXtensible Access Control Markup Language (XACML).

Copyright information

© IFIP International Federation for Information Processing 2015

Authors and Affiliations

  1. 1.Department of Computer ScienceStony Brook UniversityStony BrookUSA

Personalised recommendations