More Web Proxy on the site http://driver.im/

research-article

HGAA: An Architecture to Support Hierarchical Group and Attribute-Based Access Control

Authors:

Sylvia L. OsbornAuthors Info & Claims

ABAC'18: Proceedings of the Third ACM Workshop on Attribute-Based Access Control

Pages 1 - 12

https://doi.org/10.1145/3180457.3180459

Published: 14 March 2018 Publication History

Abstract

Attribute-Based Access Control (ABAC), a promising alternative to traditional models of access control, has gained significant attention in recent academic literature. This attention has lead to the creation of a number of ABAC models including our previous contribution, Hierarchical Group and Attribute-Based Access Control (HGABAC). However, to date few complete solutions exist that provide both an ABAC model and architecture that could be implemented in real life scenarios. This work aims to advance progress towards a complete ABAC solution by introducing Hierarchical Group Attribute Architecture (HGAA), an architecture to support HGABAC and close the gap between a model and real world implementation. In addition to HGAA we also present an attribute certificate specification that enables users to provide proof of attribute ownership in a pseudonymous and off-line manner, as well as an update to the Hierarchical Group Policy Language (HGPL) to support our namespace for uniquely identifying attributes across disparate security domains. Details of our HGAA implementation are given and a preliminary analysis of its performance is discussed as well as directions for future work.

References

[1]

Anne Anderson, Anthony Nadalin, B Parducci, D Engovatov, H Lockhart, M Kudo, P Humenn, S Godik, S Anderson, S Crocker, et al. 2003. eXtensible Access Control Markup Language (XACML) Version 1.0. Technical Report. OASIS.

[2]

Tim Berners-Lee, Roy T. Fielding, and Larry Masinter. 2005. Uniform Resource Identifier (URI): Generic Syntax. STD 66. RFC Editor.

[3]

Smriti Bhatt, Farhan Patwa, and Ravi Sandhu. 2017. ABAC with Group Attributes and Attribute Hierarchies Utilizing the Policy Machine. In Proceedings of the 2nd ACM Workshop on Attribute-Based Access Control. ACM, 17-28.

Digital Library

[4]

S. Farrell, R. Housley, and S. Turner. 2010. An Internet Attribute Certificate Profile for Authorization. RFC 5755. RFC Editor. http://www.rfc-editor.org/rfc/rfc5755.txt

[5]

David Ferraiolo, Vijayalakshmi Atluri, and Serban Gavrila. 2011. The Policy Machine: A Novel Architecture and Framework for Access Control Policy Specification and Enforcement. Journal of Systems Architecture 57, 4 (2011), 412-424.

Digital Library

[6]

David Ferraiolo, Serban Gavrila, and Wayne Jansen. 2014. Policy Machine: Features, Architecture, and Specification. US Department of Commerce, National Institute of Standards and Technology.

[7]

Maanak Gupta and Ravi Sandhu. 2016. The GURAG Administrative Model for User and Group Attribute Assignment. In International Conference on Network and System Security. Springer, 318-332.

[8]

Vincent C Hu, David Ferraiolo, Rick Kuhn, Arthur R Friedman, Alan J Lang, Margaret M Cogdell, Adam Schnitzer, Kenneth Sandlin, Robert Miller, Karen Scarfone, et al. 2013. Guide to Attribute Based Access Control (ABAC) Definition and Considerations (draft). NIST special publication 800, 162 (2013).

[9]

John Hughes and Eve Maler. 2005. Security Assertion Markup Language (SAML) v2.0 Technical Overview. Technical Report. OASIS. 29-38 pages. SSTC Working Draft sstc-saml-tech-overview-2.0-draft-08.

[10]

Xin Jin, Ram Krishnan, and Ravi S Sandhu. 2012. A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC. DBSec 12 (2012), 41-55.

Digital Library

[11]

E Rissanen, H Lockhart, and T Moses. 2009. XACML v3.0 Administration and Delegation Profile Version 1.0. Technical Report. Committee Draft.

[12]

Carlos E Rubio-Medrano, Clinton D'Souza, and Gail-Joon Ahn. 2013. Supporting Secure Collaborations with Attribute-Based Access Control. In Collaborative Computing: Networking, Applications and Worksharing (Collaboratecom), 2013 9th International Conference Conference on. IEEE, 525-530.

[13]

Daniel Servos and Sylvia L Osborn. 2014. HGABAC: Towards a Formal Model of Hierarchical Attribute-Based Access Control. In International Symposium on Foundations and Practice of Security. Springer, 187-204.

[14]

Daniel Servos and Sylvia L Osborn. 2016. Strategies for Incorporating Delegation into Attribute-Based Access Control (ABAC). In International Symposium on Foundations and Practice of Security. Springer, 320-328.

[15]

Daniel Servos and Sylvia L Osborn. 2017. Current Research and Open Problems in Attribute-Based Access Control. ACM Computing Surveys (CSUR) 49, 4 (2017), 65.

Digital Library

[16]

Jakob Simon-Gaarde. Accessed: 2017-12-15. Ladon Webservice Framework. http://ladonize.org

[17]

SQLAlchemy. Accessed: 2017-12-15. SQLAlchemy - The Database Toolkit for Python. https://www.sqlalchemy.org/

[18]

J. Vollbrecht, P. Calhoun, S. Farrell, L. Gommans, G. Gross, B. de Bruijn, C. de Laat, M. Holdrege, and D. Spence. 2000. AAA Authorization Framework. RFC 2904. RFC Editor. http://www.rfc-editor.org/rfc/rfc2904.txt

Digital Library

[19]

Lingyu Wang, Duminda Wijesekera, and Sushil Jajodia. 2004. A Logic-Based Framework for Attribute Based Access Control. In Proceedings of the 2004 ACM Workshop on Formal Methods in Security Engineering. ACM, 45-55.

Digital Library

Cited By

Ruiz JNarendran PMasoumzadeh AIyer PNiu JVaidya J(2024)Converting Rule-Based Access Control Policies: From Complemented Conditions to Deny RulesProceedings of the 29th ACM Symposium on Access Control Models and Technologies10.1145/3649158.3657040(159-169)Online publication date: 24-Jun-2024
https://dl.acm.org/doi/10.1145/3649158.3657040
Masoumzadeh ANarendran PIyer PLobo JDi Pietro RChowdhury O(2021)Towards a Theory for Semantics and Expressiveness Analysis of Rule-Based Access Control ModelsProceedings of the 26th ACM Symposium on Access Control Models and Technologies10.1145/3450569.3463569(33-43)Online publication date: 11-Jun-2021
https://dl.acm.org/doi/10.1145/3450569.3463569
Servos DBauer M(2020)Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access ControlFoundations and Practice of Security10.1007/978-3-030-45371-8_15(242-260)Online publication date: 17-Apr-2020
https://doi.org/10.1007/978-3-030-45371-8_15
Show More Cited By

Index Terms

HGAA: An Architecture to Support Hierarchical Group and Attribute-Based Access Control
1. Security and privacy

Recommendations

A Category-Based Model for ABAC
ABAC'18: Proceedings of the Third ACM Workshop on Attribute-Based Access Control

In Attribute-Based Access Control (ABAC) systems, access to resources is controlled by evaluating rules against the attributes of the user and the object involved in the access request, as well as the values of the relevant attributes from the ...
Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access Control
Foundations and Practice of Security
Abstract
Efforts towards incorporating user-to-user delegation into Attribute-Based Access Control (ABAC) is an emerging new direction in ABAC research. A number of potential strategies for integrating delegation have been proposed in recent literature but ...
Samyukta: A Unified Access Control Model using Roles, Labels, and Attributes
Information Systems Security
Abstract
Access control is one of the key mechanisms used for protecting system resources. While each of the existing access control models has its own benefits, it is difficult to satisfy all the requirements of a contemporary system with a single model. ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ABAC'18: Proceedings of the Third ACM Workshop on Attribute-Based Access Control

March 2018

75 pages

ISBN:9781450356336

DOI:10.1145/3180457

General Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Ram Krishnan
University of Texas at San Antonio, USA

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 March 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CODASPY '18

Sponsor:

SIGSAC

CODASPY '18: Eighth ACM Conference on Data and Application Security and Privacy

March 21, 2018

AZ, Tempe, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
264
Total Downloads

Downloads (Last 12 months)7
Downloads (Last 6 weeks)0

Reflects downloads up to 13 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ruiz JNarendran PMasoumzadeh AIyer PNiu JVaidya J(2024)Converting Rule-Based Access Control Policies: From Complemented Conditions to Deny RulesProceedings of the 29th ACM Symposium on Access Control Models and Technologies10.1145/3649158.3657040(159-169)Online publication date: 24-Jun-2024
https://dl.acm.org/doi/10.1145/3649158.3657040
Masoumzadeh ANarendran PIyer PLobo JDi Pietro RChowdhury O(2021)Towards a Theory for Semantics and Expressiveness Analysis of Rule-Based Access Control ModelsProceedings of the 26th ACM Symposium on Access Control Models and Technologies10.1145/3450569.3463569(33-43)Online publication date: 11-Jun-2021
https://dl.acm.org/doi/10.1145/3450569.3463569
Servos DBauer M(2020)Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access ControlFoundations and Practice of Security10.1007/978-3-030-45371-8_15(242-260)Online publication date: 17-Apr-2020
https://doi.org/10.1007/978-3-030-45371-8_15
Ruland CSassmannshausen JSatpathy J(2018)An Attribute Certificate Management System for Attribute-Based Access Control2018 International Conference on Computational Science and Computational Intelligence (CSCI)10.1109/CSCI46756.2018.00015(36-41)Online publication date: Dec-2018
https://doi.org/10.1109/CSCI46756.2018.00015

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents