Policy Review in Attribute-Based Access Control




Lawal, Sherifdeen

Journal Title

Journal ISSN

Volume Title



The Next Generation Access Control (NGAC), founded on the Policy Machine (PM), is a robust Attribute-Based Access Control (ABAC) framework that enables a structured and flexible approach for the establishment of the conventional access control models. The authorization state of the policy machine is an annotated Directed Acyclic Graph (DAG). Structurally, relations among attributes of the same type are hierarchical. This structure allows specifying authorization/revocation in multiple ways. However, one or more limitations can make most of the approaches to grant or revoke access inconsistent with existing policies. We proposed a variety of algorithms that provides the Policy Machine administrator a comprehensive list of all possible methods to authorize or revoke access using ABAC policy review. The approaches generated by these algorithms can help the PM administrator make an informed decision before access authorization or revocation. This work began with a pilot study where we consider the policy review for authorization of an administrative access right, user assignment. The preliminary work evolved to a generic algorithm that reviews authorization policy for other administrative access rights. A thorough extension of the generic algorithm accommodates the policy review of authorization with constraints and revocation. In recent times, as the number of blockchain use cases continues to grow, methods and technologies utilized by fraudsters continue to become sophisticated. The most notable form of cyber-attack utilizes a security breach in the internal security of blockchain systems, leading to illegal access to application services. A complex system like the blockchain network requires a dynamic, flexible, and scalable access control mechanism. There are numerous research efforts to leverage smart contracts in implementing access control based on blockchain. However, most of these contributions are either focused on blockchain-based access control for an off-chain resource. Other effects implement blockchain-based access control for a specific domain. This dissertation presents the first-ever implementation of the NIST NGAC (Policy Machine) system in a blockchain network. We utilized an instance of the Policy Machine for controlling access to assets in multiple blockchain ledgers. We implemented and evaluated the algorithms in this dissertation on the Hyperledger Fabric blockchain network.


This item is available only to currently enrolled UTSA students, faculty or staff. To download, navigate to Log In in the top right-hand corner of this screen, then select Log in with my UTSA ID.


Access Management, Attribute-Based Access Control, National Institute of Standards and Technology, Next Generation Access Control, Policy Authorization Graph, Privacy and Security



Electrical and Computer Engineering