Enumerated Authorization Policy ABAC Models: Expressive Power and Enforcement
Attribute Based Access Control (ABAC) has gained considerable attention from businesses, academia and standards bodies (e.g. NIST and NCCOE ) in recent years. ABAC uses attributes on users, objects and possibly other entities (e.g. context/environment), and specifies rules using these attributes to assert who can have which access permissions (e.g. read/write) on which objects. Although ABAC concepts have been around for over two decades, there remains a lack of well-accepted ABAC models. Recently there has been a resurgence of interest in ABAC due to continued dissatisfaction with the traditional models—notably Role Based Access Control (RBAC), Discretionary Access Control (DAC), and Lattice Based Access Control (LBAC).
There are two major techniques stated in the literature for specifying authorization policies in Attribute Based Access Control. The more conventional approach is to define policies by using logical formulas involving attribute values. The alternate technique for expressing policies is by enumeration. While considerable work has been done for the former approach, the later is comparatively less studied.
In this dissertation, we conduct a systematic study of Enumerated Authorization Policy (EAP) for ABAC. We have developed a representative, simple EAP ABAC model—EAP-ABAC1;1. For the sake of clarity and emphasis on different elements of the model, we present EAP-ABAC1;1 as a family of models. We have investigated how the defined models are comparable to other existing EAP models. We also demonstrate capability of the defined models by configuring traditional LBAC and RBAC models in them.
We compare theoretical expressive power of EAP based ABAC models to logical-formula authorization policy ABAC models. In this regard, we present a finite-attribute, finite-domain ABAC model for enumerated authorization policies and investigate its relationship with logical-formula authorization policy ABAC models in the finite domain. We show that these models (EAP-ABAC and LAP-ABAC) are equivalent in their theoretical expressive power. We respectively show that single and multi-attribute ABAC models are equally expressive.
As proof-of-concepts, we demonstrate how EAP ABAC models can be enforced in different application contexts. We have designed an enhanced EAP-ABAC1;1 model to protect JSON documents. While most of the existing XML protection model consider only hierarchical structure of underlying data, we additionally identify two more inherent characteristics of data— semantical association and scatteredness and consider them in the design. Finally, we have outlined how EAPABAC 1;1 can be used in OpenStack Swift to enhance its “all/no access” paradigm to “policy-based selective access”.