Abstract
Recently, there has been considerable interest in attribute based access control (ABAC) to overcome the limitations of the dominant access control models (i.e, discretionary-DAC, mandatory-MAC and role based-RBAC) while unifying their advantages. Although some proposals for ABAC have been published, and even implemented and standardized, there is no consensus on precisely what is meant by ABAC or the required features of ABAC. There is no widely accepted ABAC model as there are for DAC, MAC and RBAC. This paper takes a step towards this end by constructing an ABAC model that has “just sufficient” features to be “easily and naturally” configured to do DAC, MAC and RBAC. For this purpose we understand DAC to mean owner-controlled access control lists, MAC to mean lattice-based access control with tranquility and RBAC to mean flat and hierarchical RBAC. Our central contribution is to take a first cut at establishing formal connections between the three successful classical models and desired ABAC models.
Keywords
- Attribute
- XACML
- DAC
- MAC
- RBAC
- ABAC
Chapter PDF
References
OASIS, Extensible access control markup language (XACML), v2.0 (2005)
OASIS, Security assertion markup language (SAML), v2.0 (2005)
Abdallah, A.E., Khayat, E.J.: A formal model for parameterized role-based access control. In: Formal Aspects in Security and Trust (2004)
Al-Kahtani, M.A., Sandhu, R.S.: A model for attribute-based user-role assignment. In: ACSAC (2002)
Bertino, E., Catania, B., Ferrari, E., Perlasca, P.: A logical framework for reasoning about access control models. In: SACMAT (2001)
Bonatti, P.A., Samarati, P.: Regulating service access and information release on the web. In: ACM CCS (2000)
Bonatti, P.A., Samarati, P.: A uniform framework for regulating service access and information release on the web. J. Comp. Secur. (2002)
Chadwick, D.W., Otenko, A., Ball, E.: Role-based access control with X.509 attribute certificates. IEEE Internet Computing (2003)
Damiani, E., di Vimercati, S.D.C., Samarati, P.: New paradigms for access control in open environments. In: Int. Sym. on Sig. Proc. and Info. Tech. (2005)
Evered, M.: Supporting parameterised roles with object-based access control. In: HICSS (2003)
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Richard Kuhn, D., Chandramouli, R.: Proposed nist standard for role-based access control. ACM Trans. Inf. Syst. Secur. (2001)
Fischer, J., Marino, D., Majumdar, R., Millstein, T.: Fine-Grained Access Control with Object-Sensitive Roles. In: Drossopoulou, S. (ed.) ECOOP 2009. LNCS, vol. 5653, pp. 173–194. Springer, Heidelberg (2009)
Fuchs, L., Pernul, G., Sandhu, R.: Roles in information security: A survey and classification of the research area. Comp. and Secur. (2011)
Ge, M., Osborn, S.L.: A design for parameterized roles. In: DBSec (2004)
Giuri, L., Iglio, P.: Role templates for content-based access control. In: ACM Workshop on RBAC (1997)
Jajodia, S., Samarati, P., Sapino, M.L., Subrahmanian, V.S.: Flexible support for multiple access control policies. ACM Trans. Database Syst. (2001)
El Kalam, A.A., Benferhat, S., Miège, A., El Baida, R., Cuppens, F., Saurel, C., Balbiani, P., Deswarte, Y., Trouessin, G.: Organization based access control. In: POLICY (2003)
Kandala, S., Sandhu, R., Bhamidipati, V.: An attribute based framework for risk-adaptive access control models. In: ARES (2011)
Lang, B., Foster, I.T., Siebenlist, F., Ananthakrishnan, R., Freeman, T.: A flexible attribute based access control method for grid computing. J. Grid Comput. (2009)
Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust management framework. In: 2002 IEEE S&P (2002)
Park, J., Sandhu, R.: The UCONabc usage control model. ACM Trans. Inf. Syst. Secur. (2004)
Sandhu, R.S.: Lattice-based access control models. IEEE Computer (1993)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer (1996)
Sandhu, R.S., Samarati, P.: Access control: Principles and practice. IEEE Com. Mag. (1994)
Schläger, C., Sojer, M., Muschall, B., Pernul, G.: Attribute-Based Authentication and Authorisation Infrastructures for E-Commerce Providers. In: Bauknecht, K., Pröll, B., Werthner, H. (eds.) EC-Web 2006. LNCS, vol. 4082, pp. 132–141. Springer, Heidelberg (2006)
Wang, L., Wijesekera, D., Jajodia, S.: A logic-based framework for attribute based access control. In: 2nd ACM Workshop on FMSE (2004)
Yong, J., Bertino, E., Toleman, M., Roberts, D.: Extended RBAC with role attributes. In: 10th Pacific Asia Conf. on Info. Sys. (2006)
Yu, T., Ma, X., Winslett, M.: Prunes: an efficient and complete strategy for automated trust negotiation over the internet. In: ACM CCS (2000)
Yu, T., Winslett, M., Seamons, K.E.: Interoperable strategies in automated trust negotiation. In: ACM CCS (2001)
Yu, T., Winslett, M., Seamons, K.E.: Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation. ACM Trans. Inf. Syst. Secur. (2003)
Yuan, E., Tong, J.: Attributed based access control (ABAC) for web services. In: Intl. ICWS (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Jin, X., Krishnan, R., Sandhu, R. (2012). A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds) Data and Applications Security and Privacy XXVI. DBSec 2012. Lecture Notes in Computer Science, vol 7371. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31540-4_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-31540-4_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31539-8
Online ISBN: 978-3-642-31540-4
eBook Packages: Computer ScienceComputer Science (R0)