An Attribute Based Access Control Model with POL Module for Dynamically Granting and Revoking Authorizations

Currently, resource sharing and system security are
critical issues. This paper proposes a POL module composed of
PRIV ILEGE attribute (PA), obligation and log which improves
attribute based access control (ABAC) model in dynamically granting
authorizations and revoking authorizations. The following describes
the new model termed PABAC in terms of the POL module
structure, attribute definitions, policy formulation and authorization
architecture, which demonstrate the advantages of it. The POL
module addresses the problems which are not predicted before and
not described by access control policy. It can be one of the subject
attributes or resource attributes according to the practical application,
which enhances the flexibility of the model compared with ABAC.
A scenario that illustrates how this model is applied to the real world
is provided.

Authors:

• Gang Liu
• Huimin Song
• Can Wang
• Runnan Zhang
• Lu Fang

Keywords:

• Access control
• attribute based access control
• granting authorizations
• privilege
• revoking authorizations
• system security.

References:

[1] Garnaut P., Thompson J., ”Review of Data Integrity Models in
Multi-Level Security Environments,” Technical Report DSTO-TN-0971,
Defence Science And Technology Organisation Edinburgh Command
Control Communications And Intelligence Div, Australia, Feb. 2012.
[2] Alexander P, Pike L, Loscocco P, et al., ”Model Checking Distributed
Mandatory Access Control Policies,” J. Acm Transactions on Information
& System Security, vol. 18, no. 6, pp. 1-25, Dec. 2015, doi:
10.1145/2785966.
[3] Zamite J, Domingos D, Silva M J, et al., ”Group-Based Discretionary
Access Control in Health Related Repositories,” J. Journal of
Information Technology Research, vol. 7, no. 1, pp. 78-94, 2014, doi:
10.4018/jitr.2014010106.
[4] Zhou L, Varadharajan V, Hitchens M, ”Trust Enhanced Cryptographic
Role-Based Access Control for Secure Cloud Data Storage,” J.
Information Forensics & Security IEEE Transactions on, vol. 10, no. 11,
pp. 2381-2395, 2015, doi: 10.1109/TIFS.2015.2455952.
[5] Yi Liu, Ke Xu, Junde Song, ”A Task-Attribute-Based Workflow Access
Control Model,” Proc. 2013 IEEE International Conference on Green
Computing and Communications and IEEE Internet of Things and IEEE
Cyber, Physical and Social Computing, IEEE, pp. 1330-1334, Aug. 2013,
doi: 10.1109/GreenCom-iThings-CPSCom.2013.231.
[6] Vincent C. Hu, et al., ”Guide to Attribute Based Access Control(abac)
Definition and Considerations,” National Institute of Standards and
Technology, Gaithersburg, 2014.
[7] E. Yuan, J. Tong, ”Attributed Based Access Control (ABAC)
for Web Services,” Proc. 2005 IEEE International Conference
on Web Services(ICWS), IEEE, pp. 561-569, Jul. 2005, doi:
10.1109/ICWS.2005.25.
[8] Hakima Ould-Slimane, Moustapha Bande, Hanifa Boucheneb,
”WiseShare: A Collaborative Environment for Knowledge Sharing
Governed by ABAC Policies,” Collaborative Computing: Networking,
Applications and Worksharing (CollaborateCom), 2012 8th
International Conference on, IEEE, pp. 21-29, Oct. 2012, doi:
10.4108/icst.collaboratecom.2012.250402.
[9] Maryam Ed-Daibouni, Adil Lebbat, Saida Tallal, Hicham Medromi,
”Toward a New Extension of the Access Control Model ABAC for
Cloud Computing,” Advances in Ubiquitous Networking. Lecture Notes in
Electrical Engineering, Sabir E., Medromi H., Sadik M., eds., Singapore:
Springer, pp. 79-89, Feb. 2016, doi: 10.1007/978-981-287-990-5 7.
[10] Vincent C. Hu, D. Richard Kuhn, David F. Ferraiolo, ”Attribute-Based
Access Control,” J. Computer, vol. 48, no. 2, pp. 85-88, Feb. 2015, doi:
10.1109/MC.2015.33.
[11] Xu D., Kent M., Thomas L., et al. ”Automated Model-Based Testing
of Role-Based Access Control Using Predicate/Transition Nets,” J. IEEE
Transactions on Computers, vol. 64, no. 9, pp. 2490-2505, Sep. 2015,
doi:10.1109/TC.2014.2375189.
[12] Mike Burmester, Emmanouil Magkos, Vassilis Chrissikopoulos,
”T-ABAC: An Attribute-based Access Control Model for Real-time
Availability in Highly Dynamic Systems,” Proc. Computers and
Communications(ISCC), 2013 IEEE Symposium on, IEEE, pp. 143-148,
Jul. 2013, doi: 10.1109/ISCC.2013.6754936.
[13] Laurent Gomez, Slim Trabelsi, ”Obligation Based Access
Control,” On the Move to Meaningful Internet Systems: OTM
2014 Workshops. OTM 2014. Lecture Notes in Computer Science,
Meersman R. et al., eds., Berlin: Springer, pp. 79-89, Oct. 2014, doi:
10.1007/978-3-662-45550-0 15.
[14] Claudio Bettini, Sushil Jajodia, X. Sean Wang, Duminda Wijesekera,
”Provisions and Obligations in Policy Management and Security
Applications,” Proc. VLDB ’02 Proceedings of the 28th international
conference on Very Large Data Bases, VLDB Endowment, pp. 502-513,
Aug. 2002, doi: 10.1016/B978-155860869-6/50051-2.
[15] Gansen Zhao, David Chadwick, Sassa Otenko, ”Obligation for Role
Based Access Control,” Proc. Advanced Information Networking and
Applications Workshops, 2007, AINAW ’07. 21st International Conference
on, IEEE, pp. 424-431, May 2007, doi: 10.1109/AINAW.2007.267.
[16] Michael J. Covington, Manoj R. Sastry, ”A Contextual Attribute-Based
Access Control Model,” On the Move to Meaningful Internet Systems
2006: OTM 2006 Workshops. OTM 2006. Lecture Notes in Computer
Science, Meersman R., Tari Z., Herrero P., eds., Berlin: Springer-Verlag,
pp. 1996-2006, Nov. 2006, doi: 10.1007/11915072 108.
[17] Anoop Singhal, Theodore Winograd, Karen Scarfone, ”Guide to Secure
Web Services,” National Institute of Standards and Technology Special
Publication, Gaithersburg, 2007.
[18] Bill Parducci, Hal Lockhart, Rich Levinson, ”eXtensible Access Control
Markup Language (XACML) Version 3.0,” Burlington, USA: OASIS,
2013.
[19] Mehdi Sabbari, Hadiseh Seyyed Alipour, ”Improving Attribute Based
Access Control Model for Web Services,” Proc. Information and
Communication Technologies (WICT), 2011 World Congress on, IEEE,
pp. 1223-1228, Dec. 2011, doi: 10.1109/WICT.2011.6141423.