ABSTRACT
Relationship-based access control (ReBAC) provides a high level of expressiveness and flexibility that promotes security and information sharing. We formulate ReBAC as an object-oriented extension of attribute-based access control (ABAC) in which relationships are expressed using fields that refer to other objects, and path expressions are used to follow chains of relationships between objects.
ReBAC policy mining algorithms have potential to significantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy from an existing access control policy and attribute data. This paper presents an algorithm for mining ReBAC policies from access control lists (ACLs) and attribute data represented as an object model, and an evaluation of the algorithm on four sample policies and two large case studies. Our algorithm can be adapted to mine ReBAC policies from access logs and object models. It is the first algorithm for these problems.
- Matthias Beckerle and Leonardo A. Martucci. 2013. Formal Definitions for Usable Access Control Rule Sets - From Goals to Metrics. In Proceedings of the Ninth Symposium on Usable Privacy and Security (SOUPS). ACM, Article 2, 11 pages. Google ScholarDigital Library
- Jasper Bogaerts, Maarten Decat, Bert Lagaisse, and Wouter Joosen. 2015. Entity-Based Access Control: supporting more expressive access control policies. In Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC 2015). ACM, 291--300. https://lirias.kuleuven.be/handle/123456789/521795 Google ScholarDigital Library
- Glenn Bruns, Michael Huth, Philip Fong, and Ida Siahaan. 2012. Relationship-Based Access Control: Its Expression and Enforcement through Hybrid Logic. In Proc. Second ACM Conference on Data and Application Security and Privacy (CODASPY). ACM, 117--124. Google ScholarDigital Library
- Barbara Carminati, Elena Ferrari, and Andrea Perego. 2009. Enforcing access control in Web-based social networks. ACM Transactions on Information and System Security 13, 1 (2009), 1--38. Google ScholarDigital Library
- Yuan Cheng, Jaehong Park, and Ravi S. Sandhu. 2012. A User-to-User Relationship-Based Access Control Model for Online Social Networks. In Proc. 26th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec) (Lecture Notes in Computer Science), Vol. 7371. Springer, 8--24. Google ScholarDigital Library
- Jason Crampton and James Sellwood. 2014. Path conditions and principal matching: a new approach to access control. In Proc. 19th ACM Symposium on Access Control Models and Technologies (SACMAT). ACM, 187--198. Google ScholarDigital Library
- Maarten Decat, Jasper Bogaerts, Bert Lagaisse, and Wouter Joosen. 2014. the e-document case study: functional analysis and access control requirements. CW Reports CW654. Department of Computer Science, KU Leuven. https://lirias.kuleuven.be/handle/123456789/440202Google Scholar
- Maarten Decat, Jasper Bogaerts, Bert Lagaisse, and Wouter Joosen. 2014. the workforce management case study: functional analysis and access control requirements. CW Reports CW655. Department of Computer Science, KU Leuven. https://lirias.kuleuven.be/handle/123456789/440203Google Scholar
- Philip W. L. Fong. 2011. Relationship-based access control: protection model and policy language. In Proc. First ACM Conference on Data and Application Security and Privacy (CODASPY). ACM, 191--202. Google ScholarDigital Library
- Hongxin Hu, Gail-Joon Ahn, and Jan Jorgensen. 2013. Multiparty access control for online social networks: model and mechanisms. IEEE Transactions on Knowledge and Data Engineering 25, 7 (2013), 1614--1627. Google ScholarDigital Library
- Eric Medvet, Alberto Bartoli, Barbara Carminati, and Elena Ferrari. 2015. Evolutionary Inference of Attribute-based Access Control Policies. In Proceedings of the 8th International Conference on Evolutionary Multi-Criterion Optimization (EMO): Part I (Lecture Notes in Computer Science), Vol. 9018. Springer, 351--365.Google ScholarCross Ref
- Ian Molloy, Hong Chen, Tiancheng Li, Qihua Wang, Ninghui Li, Elisa Bertino, Seraphin B. Calo, and Jorge Lobo. 2010. Mining Roles with Multiple Objectives. ACM Trans. Inf. Syst. Secur. 13, 4, Article 36 (2010), 36:1--36:35 pages. Google ScholarDigital Library
- Zhongyuan Xu and Scott D. Stoller. 2014. Mining Attribute-Based Access Control Policies from Logs. In Proceedings of the 28th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy (DBSec 2014) (Lecture Notes in Computer Science), Vijay Atluri and Guenther Pernul (Eds.), Vol. 8566. Springer-Verlag, 276--291. Google ScholarDigital Library
- Zhongyuan Xu and Scott D. Stoller. 2014. Mining Attribute-Based Access Control Policies from Role-Based Policies. In Proceedings of the 10th International Conference & Expo on Emerging Technologies for a Smarter World (CEWIT 2013). IEEE Press.Google Scholar
- Zhongyuan Xu and Scott D. Stoller. 2015. Mining Attribute-based Access Control Policies. IEEE Transactions on Dependable and Secure Computing 12, 5 (September-October 2015), 533--545.Google ScholarCross Ref
Index Terms
- Mining Relationship-Based Access Control Policies
Recommendations
Mining Positive and Negative Attribute-Based Access Control Policy Rules
SACMAT '18: Proceedings of the 23nd ACM on Symposium on Access Control Models and TechnologiesMining access control policies can reduce the burden of adopting more modern access control models by automating the process of generating policies based on existing authorization information in a system. Previous work in this area has focused on mining ...
Efficient and Extensible Policy Mining for Relationship-Based Access Control
SACMAT '19: Proceedings of the 24th ACM Symposium on Access Control Models and TechnologiesRelationship-based access control (ReBAC) is a flexible and expressive framework that allows policies to be expressed in terms of chains of relationship between entities as well as attributes of entities. ReBAC policy mining algorithms have a potential ...
A Decision Tree Learning Approach for Mining Relationship-Based Access Control Policies
SACMAT '20: Proceedings of the 25th ACM Symposium on Access Control Models and TechnologiesRelationship-based access control (ReBAC) provides a high level of expressiveness and flexibility that promotes security and information sharing, by allowing policies to be expressed in terms of chains of relationships between entities. ReBAC policy ...
Comments