Access control for online social networks using relationship type patterns

Users and resources in online social networks (OSNs) are interconnected via various types of relationships. User-to-user (U2U) relationships form the basis of the OSN structure, the social graph, and play a significant role in specifying and enforcing access control. In fact, U2U relationship-based access control (ReBAC) has been adopted as the most prevalent approach for access control in OSNs, where authorization is typically made by tracking the existence of U2U relationships of certain types and/or depth between the access requester and the resource owner. We propose a novel ReBAC model for OSNs that incorporates different types of relationships and utilizes regular expression notation for policy specification, namely UURAC (User-to-User Relationship-based Access Control). Authorization policies are defined in terms of the patterns of relationship path on social graph and the hopcount limit of the path. In addition, two path checking algorithms are developed to determine whether the required relationship path for a given access request exists, and proofs of correctness and complexity analysis for the algorithms are provided. The UURAC model is implemented and evaluated to validate our approach. We subsequently integrate attribute-based policies into relationship-based access control. The proposed attribute-aware ReBAC enhances access control capability and allows finer-grained controls that are not otherwise available in ReBAC. Today's OSN applications allow various user activities that cannot be controlled by using U2U relationships alone. To enable a comprehensive ReBAC mechanism, we develop the URRAC (User-to-Resource Relationship-based Access Control) model to exploit user-to-resource (U2R) and resource-to-resource (R2R) relationships in addition to U2U relationships for authorization decision. While most of today's access control solutions for OSNs only focus on controlling user's normal usage activities, URRAC model also captures controls on user's administrative activities. Simple specifications of conflict resolution policies are provided to resolve potential conflicts among authorization policies. The objective of this research is to demonstrate that greater generality and flexibility in policy specification and effective access evaluation can be achieved in OSNs using relationship type patterns and attributes.