research-article

Relationship-based access control policies and their policy languages

Authors:

Philip W.L. Fong,

Ida SiahaanAuthors Info & Claims

SACMAT '11: Proceedings of the 16th ACM symposium on Access control models and technologies

Pages 51 - 60

https://doi.org/10.1145/1998441.1998450

Published: 15 June 2011 Publication History

Abstract

The Relationship-Based Access Control (ReBAC) model was recently proposed as a general-purpose access control model. It supports the natural expression of parameterized roles, the composition of policies, and the delegation of trust. Fong proposed a policy language that is based on Modal Logic for expressing and composing ReBAC policies. A natural question is whether such a language is representationally complete, that is, whether the language is capable of expressing all ReBAC policies that one is interested in expressing. In this work, we argue that the extensive use of what we call Relational Policies is what distinguishes ReBAC from traditional access control models. We show that Fong's policy language is representationally incomplete in that certain previously studied Relational Policies are not expressible in the language. We introduce two extensions to the policy language of Fong, and prove that the extended policy language is representationally complete with respect to a well-defined subclass of Relational Policies.

References

[1]

M. Anwar, Z. Zhao, and P. W. L. Fong. An access control model for Facebook-style social network systems. Tech. Rep. 2010--959-08, Dept. of Computer Science, University of Calgary, AB, Canada, July 2010.

[2]

F. Baader, D. Calvanese, D. L. McGuinness, D. Nardi, and P. F. Patel-Schneider, editors. The Description Logic Handbook. Cambridge, 2007.

Digital Library

[3]

L. Badger, D. F. Sterne, D. L. Sherman, K. M. Walker, and S. A Haghighat. Practical domain and type enforcement for UNIX. In Proceedings of the 1995 IEEE Symposium on Security and Privacy (S&P'95), pages 66--77, Oakland, CA, USA, May 1995.

Digital Library

[4]

M. Y. Becker and P. Sewell. Cassandra: Flexible trust management, applied to electronic health records. In Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW'04), Pacific Grove, CA, USA, June 2004.

Digital Library

[5]

K. Beznosov. Requirements for access control: US healthcare domain. In Proceedings of the 3rd ACM Workshop on Role-Based Access Control (RBAC'98), page 43, Fairfax, VA, USA, October 1998.

Digital Library

[6]

P. Blackburn, M. de Rijke, and Y. Venema. Modal Logic. Cambridge, 2001.

Digital Library

[7]

M. Blaze, J. Feigenbaum, and J. Lacy. Decentralized trust management. In Proceedings of the 1996 IEEE Symposium on Security and Privacy (S&P'96), pages 164--173, Oakland, CA, USA, May 1996.

Digital Library

[8]

B. Carminati, E. Ferrari, R. Heatherly, M. Kantarcioglu, and B. Thurainsingham. A semantic web based framework for social network access control. In Proceedings of the 14th ACM Symposium on Access Control Models and Technologies (SACMAT'09), pages 177--186, Stresa, Italy, June 2009.

Digital Library

[9]

B. Carminati, E. Ferrari, and A. Perego. Enforcing access control in Web-based social networks. ACM Transactions on Information and System Security, 13(1):1--38, October 2009.

Digital Library

[10]

D. Chakrabarti and C. Faloutsos. Graph mining: Laws, generators, and algorithms. ACM Computing Surveys, 38, March 2006.

Digital Library

[11]

T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein. Introduction to Algorithms. MIT Press, 3rd edition, 2009.

Digital Library

[12]

D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security, 4(3):224--274, 2001.

Digital Library

[13]

P. W. L. Fong. Access control by tracking shallow execution history. In Proceedings of the 2004 IEEE Symposium on Security and Privacy (S&P'04), pages 43--55, Oakland, CA, USA, May 2004.

[14]

P. W. L. Fong. Preventing Sybil attacks by privilege attenuation: A design principle for social network systems. In Proceedings of the 2011 IEEE Symposium on Security and Privacy (S&P'11), Oakland, CA, USA, May 2011.

Digital Library

[15]

P. W. L. Fong. Relationship-based access control: Protection model and policy language. In Proceedings of the First ACM Conference on Data and Application Security and Privacy (CODASPY'11), pages 191--202, San Antonio, Taxas, USA, February 2011.

Digital Library

[16]

P. W. L. Fong, M. Anwar, and Z. Zhao. A privacy preservation model for Facebook-style social network systems. In Proceedings of the 14th European Symposium on Research In Computer Security (ESORICS'09), volume 5789 of LNCS, pages 303--320, Saint Malo, France, September 2009. Springer.

Digital Library

[17]

Carrie E. Gates. Access Control Requirements for Web 2.0 Security and Privacy. In IEEE Web 2.0 Privacy and Security Workship (W2SP'07), Oakland, CA, USA, 2007.

[18]

F. Giunchiglia, R. Zhang, and B. Crispo. RelBAC: Relation based access control. In Proceedings of the Fourth International Conference on Semantics, Knowledge and Grid (SKG'08), pages 3--11, Beijing, China, December 2008.

Digital Library

[19]

L. Giuri and P. Iglio. Role templates for content-based access control. In Proceedings of the 2nd ACM Workshop on Role-Based Access Control (RBAC'97), pages 153--159, Fairfax, VA, USA, November 1997.

Digital Library

[20]

V. Haarslev and R. Möller. RACER system description. In Proceedings of the 1st International Joint Conference on Automated Reasoning (IJCAR'01), pages 701--705, Siena, Italy, 2001.

Digital Library

[21]

K. W. Hamlen, G. Morrisett, and F. B. Schneider. Computability classes for enforcement mechanisms. ACM Transactions on Programming Langanguages And Systems, 28(1):175--205, January 2006.

Digital Library

[22]

I. R. Horrocks. Using an expressive description logic: FaCT or fiction? In Proceedings of the 6th International Conference on Principles of Knowledge Representation and Reasoning (KR'98), pages 636--649, Trento, Italy, 1998.

[23]

S. R. Kruk, S. Grzonkowski, A. Gzella, T. Woroniecki, and H.-C. Choi. D-FOAF: Distributed identity management with access rights delegation. In Proceedings of the 1st Asian Semantic Web Conference (ASWC'06), volume 4185 of LNCS, pages 140--154, Beijing, China, September 2006. Springer.

Digital Library

[24]

N. Li, B. N. Grosof, and J. Feigenbaum. Delegation logic: A logic-based approach to distributed authorization. ACM Transactions on Information and System Security, 6(1):128--171, February 2003.

Digital Library

[25]

N. Li, J. C. Mitchell, and W. H. Winsborough. Design of a role-based trust-management framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P'02), pages 114--130, Berkeley, California, USA, May 2002.

Digital Library

[26]

J. Ligatti, L. Bauer, and D. Walker. Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security, 4(1--2):2--16, February 2005.

[27]

J. Ligatti, L. Bauer, and D. Walker. Run-time enforcement of nonsafety policies. ACM Transactions on Information and Systems Security, 12(3), 2009.

Digital Library

[28]

J. Ligatti and S. Reddy. A theory of runtime enforcement, with results. In Proceedings of the 15th European Symposium on Research in Computer Security (ESORICS'10), volume 6345 of LNCS, Athens, Greece, September 2010. Springer.

Digital Library

[29]

E. Lupu and M. Sloman. Reconciling role based management and role based access control. In Proceedings of the 2nd ACM Workshop on Role-Based Access Control (RBAC'97), pages 135--141, Fairfax, VA, USA, November 1997.

Digital Library

[30]

L. Rostad and O. Edsberg. A study of access control requirements for healthcare systems based on audit trails from access logs. In Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC'06), Miami Beach, FL, USA, December 2006.

Digital Library

[31]

R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 19(2):38--47, February 1996.

Digital Library

[32]

K. Schild. A correspondence theory for terminological logics: preliminary report. In Proceedings of the 12th International Joint Conference on Artificial intelligence (IJCAI'91), pages 466--471, 1991.

Digital Library

[33]

F. B. Schneider. Enforceable security policies. ACM Transactions on Information and System Security, 3(1):30--50, 2000.

Digital Library

[34]

A. Squicciarini, F. Paci, and S. Sundareswaran. PriMa: An effective privacy protection mechanism for social networks. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS'10), pages 320--323, Beijing, China, April 2010.

Digital Library

[35]

A. C. Squicciarini, M. Shehab, and J. Wede. Privacy policies for shared content in social network sites. The VLDB Journal, 2010. To appear.

Digital Library

[36]

C. Talhi, N. Tawbi, and M. Debbabi. Execution monitoring enforcement under memory-limitation constraints. Information and Computation, 206:158--184, 2008.

Digital Library

[37]

S. Weeks. Understanding trust management systems. In Proceedings of the 2001 IEEE Symposium on Security and Privacy (S&P'01), pages 94--105, Oakland, California, USA, May 2001.

Digital Library

[38]

R. Zhang, F. Giunchiglia, B. Crispo, and L. Song. Relation-based access control: An access control model for context-aware computing environment. Wireless Personal Communications, 55(1):5--17, September 2010.

Digital Library

Cited By

Ruiz JNarendran PMasoumzadeh AIyer PNiu JVaidya J(2024)Converting Rule-Based Access Control Policies: From Complemented Conditions to Deny RulesProceedings of the 29th ACM Symposium on Access Control Models and Technologies10.1145/3649158.3657040(159-169)Online publication date: 24-Jun-2024
https://dl.acm.org/doi/10.1145/3649158.3657040
Obrezkov D(2024)Cognition Behind Access Control: A Usability Comparison of Rule- and Category-Based MechanismsICT Systems Security and Privacy Protection10.1007/978-3-031-65175-5_26(367-380)Online publication date: 26-Jul-2024
https://doi.org/10.1007/978-3-031-65175-5_26
Iyer PMasoumzadeh ADietrich SChowdhury OTakabi D(2022)Effective Evaluation of Relationship-Based Access Control Policy MiningProceedings of the 27th ACM on Symposium on Access Control Models and Technologies10.1145/3532105.3535022(127-138)Online publication date: 7-Jun-2022
https://dl.acm.org/doi/10.1145/3532105.3535022
Show More Cited By

Index Terms

Relationship-based access control policies and their policy languages
1. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security

Recommendations

Relationship-based access control: protection model and policy language
CODASPY '11: Proceedings of the first ACM conference on Data and application security and privacy

Social Network Systems pioneer a paradigm of access control that is distinct from traditional approaches to access control. Gates coined the term Relationship-Based Access Control (ReBAC) to refer to this paradigm. ReBAC is characterized by the explicit ...
Relationship-based access control: its expression and enforcement through hybrid logic
CODASPY '12: Proceedings of the second ACM conference on Data and Application Security and Privacy

Access control policy is typically defined in terms of attributes, but in many applications it is more natural to define permissions in terms of relationships that resources, systems, and contexts may enjoy. The paradigm of relationship-based access ...
Mining Relationship-Based Access Control Policies
SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies

Relationship-based access control (ReBAC) provides a high level of expressiveness and flexibility that promotes security and information sharing. We formulate ReBAC as an object-oriented extension of attribute-based access control (ABAC) in which ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '11: Proceedings of the 16th ACM symposium on Access control models and technologies

June 2011

196 pages

ISBN:9781450306881

DOI:10.1145/1998441

General Chair:
Ruth Breu
University of Innsbruck, Austria
,
Program Chairs:
Jason Crampton
Royal Holloway, University of London, UK
,
Jorge Lobo
IBM, USA

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 June 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SACMAT '11

Sponsor:

SIGSAC

SACMAT '11: 16th ACM Symposium on Access Control Models and Technologies

June 15 - 17, 2011

Innsbruck, Austria

Acceptance Rates

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

66
Total Citations
View Citations
772
Total Downloads

Downloads (Last 12 months)24
Downloads (Last 6 weeks)3

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ruiz JNarendran PMasoumzadeh AIyer PNiu JVaidya J(2024)Converting Rule-Based Access Control Policies: From Complemented Conditions to Deny RulesProceedings of the 29th ACM Symposium on Access Control Models and Technologies10.1145/3649158.3657040(159-169)Online publication date: 24-Jun-2024
https://dl.acm.org/doi/10.1145/3649158.3657040
Obrezkov D(2024)Cognition Behind Access Control: A Usability Comparison of Rule- and Category-Based MechanismsICT Systems Security and Privacy Protection10.1007/978-3-031-65175-5_26(367-380)Online publication date: 26-Jul-2024
https://doi.org/10.1007/978-3-031-65175-5_26
Iyer PMasoumzadeh ADietrich SChowdhury OTakabi D(2022)Effective Evaluation of Relationship-Based Access Control Policy MiningProceedings of the 27th ACM on Symposium on Access Control Models and Technologies10.1145/3532105.3535022(127-138)Online publication date: 7-Jun-2022
https://dl.acm.org/doi/10.1145/3532105.3535022
Karimi LAldairi MJoshi JAbdelhakim M(2022)An Automatic Attribute-Based Access Control Policy Extraction From Access LogsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.305433119:4(2304-2317)Online publication date: 1-Jul-2022
https://doi.org/10.1109/TDSC.2021.3054331
Godden TSmet RDebruyne CVandervelden TSteenhaut KBraeken A(2022)Circuitree: A Datalog Reasoner in Zero-KnowledgeIEEE Access10.1109/ACCESS.2022.315336610(21384-21396)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3153366
Clark SYakovets NFletcher GZannone N(2022)ReLOG: A Unified Framework for Relationship-Based Access Control over Graph DatabasesData and Applications Security and Privacy XXXVI10.1007/978-3-031-10684-2_17(303-315)Online publication date: 13-Jul-2022
https://doi.org/10.1007/978-3-031-10684-2_17
Penelova M(2021)Access Control ModelsCybernetics and Information Technologies10.2478/cait-2021-004421:4(77-104)Online publication date: 9-Dec-2021
https://doi.org/10.2478/cait-2021-0044
Masoumzadeh ANarendran PIyer PLobo JDi Pietro RChowdhury O(2021)Towards a Theory for Semantics and Expressiveness Analysis of Rule-Based Access Control ModelsProceedings of the 26th ACM Symposium on Access Control Models and Technologies10.1145/3450569.3463569(33-43)Online publication date: 11-Jun-2021
https://dl.acm.org/doi/10.1145/3450569.3463569
Chakraborty SSandhu R(2021)On Feasibility of Attribute-Aware Relationship-Based Access Control Policy MiningData and Applications Security and Privacy XXXV10.1007/978-3-030-81242-3_23(393-405)Online publication date: 14-Jul-2021
https://doi.org/10.1007/978-3-030-81242-3_23
Kayes AKalaria RSarker IIslam MWatters PNg AHammoudeh MBadsha SKumara I(2020)A Survey of Context-Aware Access Control Mechanisms for Cloud and Fog Networks: Taxonomy and Open Research IssuesSensors10.3390/s2009246420:9(2464)Online publication date: 27-Apr-2020
https://doi.org/10.3390/s20092464
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents