Attribute-Based Administration of Role-Based Access Control
Role-Based Access Control (RBAC) is an operational model in which if a user wants to access an object, she does it by activating roles that are assigned to her, which in turn activates the permissions that are associated with that role. This indirection allows an easy designation of permissions to users.
Administrative Role-Based Access Control (ARBAC) models deal with the administration of RBAC. ARBAC model primarily involves how to manage user-role assignments (URA), permission-role assignments (PRA), and role-role assignments (RRA). A wide variety of approaches have been proposed in the literature for URA, PRA, and RRA. In each of these models, only one or two static properties of involved entities such as users and permissions have been used in making assignment decisions. For example, in one of the prior models, a user's initial membership or non-membership on a role qualifies that user for further role assignment. In another case, a permission's association on either a role or an organizational unit in an organizational structure allows that permission to be assigned to another role. These models make plausible arguments for URA, PRA or RRA assignments. However, a unified approach that allows checking for all or a combination such policies, while allowing the administrator to introduce new policies remains to be explored.
In this dissertation, a thorough study on developing administrative models that allow a unified approach that allows us to dynamically incorporate properties that can be used to make assignment decisions is conducted. An attribute-based access control (ABAC) approach is taken to develop each model for enhanced URA, PRA and PRA. There is significant prior work done in the ARBAC domain. A set of such models namely, Administrative RBAC '97 (ARBAC97), Administrative RBAC '99 (ARBAC99), Administrative RBAC '02 (ARBAC02), A Unified Administrative Model for Role-Based Access Control (Uni-ARBAC) and Unnamed ARBAC (UARBAC) are studied. From each of these models, URA, PRA and RRA techniques are studied and, corresponding assignment models that yield a family of models for Attribute-Based Administration of RBAC (AARBAC) are developed. They are called attribute-based user-role assignment (AURA), attribute-based permission-role assignment (ARPA) and, attribute-based role-role assignment (ARRA), respectively. These models are sufficient enough to unify URA, PRA and RRA approach exhibited in prior models. For each attribute-based model, a translation algorithm is developed, which can take any instance from the prior model as its input and map it into the corresponding instance of attribute-based assignment approach.
Finally, among all the theoretical attribute-based administration models that are developed, AURA is considered to demonstrate the advantage of attribute-based approach in the user-role assignment, by applying it as a proof-of-concept in OpenStack Infrastructure as a Service (IaaS) cloud's identity service. This implementation shall demonstrate flexibility and policy specification power brought-forward by the attribute-based approach. A performance evaluation is conducted to compare the time variation with and without attributes using different test cases.