際際滷

際際滷Share a Scribd company logo

Enumerated authorization policy ABAC (EP-ABAC) model

UT, San Antonio
UT, San Antonio

This presentation discuss logical formula and enumerated authorization policy. It further provides a enumerated authorization policy Attribute Based Access Control model.

1 of 26
Download to read offline
11 World-Leading Research with Real-World Impact! Prosunjit Biswas, Ravi Sandhu and Ram Krishnan University of Texas at San Antonio Institute for Cyber Security 1st Workshop on Attribute Based Access Control (ABAC 2016) Label-Based Access Control: An ABAC Model with Enumerated Authorization Policy
22 World-Leading Research with Real-World Impact! Outline Summary Background & motivation Enumerated authorization policy ABAC model Relationship with existing models Expressive power of LaBAC Conclusion
33 World-Leading Research with Real-World Impact! Summary We present an enumerated authorization policy ABAC model and understand its relationship with traditional access control models.
Background and Motivation
55 World-Leading Research with Real-World Impact! authorization policy Boolean expression E.g.: age(u)>18 Models: ABAC留, HGABAC Set of tuples {(age(u),19), (age(u),20), . (age(u),100)} [assuming range upper bound <=100] Models: Policy Machine, 2- sorted-RBAC
66 World-Leading Research with Real-World Impact! Logical-formula Auth. Policy Many ways to set up a policy - Authread (Authread allows manager to read TS objects from home or office).
77 World-Leading Research with Real-World Impact! Logical-formula Auth. Policy Update Authread so that manager can no longer read TS objects from home
88 World-Leading Research with Real-World Impact! Enumerated Auth. Policy Authread {(mng, home, TS), (mng,office,TS)} Auth`read { (mng, home, TS), (mng,office,TS)}
99 World-Leading Research with Real-World Impact! Logical formula vs enumerated policy Rich & flexible Easy to setup Concise Homogeneous Micro policy Easy to update Difficult to update Monolithic Heterogeneous Large in size Difficult to setup Pros Cons Logical formula authorization policy Enumerated authorization policy
LaBAC: Label-Based Access Control
Characteristics Label vs Attribute Labels are attributes with tighter semantics Salient features of LaBAC Finite domain ABAC Simple enumerated ABAC model
Family of LaBAC models
LaBAC: Core model Examples UL={manager,employee} OL={TS,S} Tuple1= (manager,TS) Policyread = {tuple1, tuple2} Salient Characteristics: 1. One user and object attribute 2. Atomic valued tuples 3. Tuples represent micro-policies Figure 1 Figure 2
LaBAC: Hierarchical model ULH={(manager,employee)} OLH={(protected, public)} Policya = {(employee,protected)} ImpliedPolicya = { (employee, protected), (manager, proteced), (employee,public), (manager, public} Examples Figure 1 Figure 2
LaBAC: Constrained model uLabel assgn. cons: a user cannot be both manager & director. Session assgn. cons: at most one value can be activated in a session. oLabel assgn. cons: A object cannot be both private & public Policy cons: (employee, TS) can never be used. Examples Figure 1
Relationship of LaBAC with other enumerated policy models
LaBAC equivalent to 2-sorted-RBAC Figure 1: 2-sorted-RBAC Figure 2: LaBAC 2-sorted-RBAC vs LaBAC: 1. Use of attributes 2. Separation of object and action from permission
LaBAC as an instance of Policy Machine Policy Machine mini Only ASSIGN and ASSOCIATION relation Default policy class Configuration of LaBAC in Policy Machine mini
Flexibility in expressing traditional models
Expressiveness of LaBAC models
LBAC in LaBAC LBAC assumptions: 1. Tranquility 2. Object operation: creation only
Micro-policy in LaBAC
Micro-policy in LaBAC micro-policy as the smallest unit of administration Example of a micro-policy: (manager, TS)
What is next Any other form of representation for authorization policy? How expressive power of enumerated authorization policy is compared with that of logical-formula auth. policy? What would be the cost of storing large number of enumerated tuples?
Enumerated authorization policy ABAC (EP-ABAC) model
Enumerated authorization policy ABAC (EP-ABAC) model

More Related Content

Enumerated authorization policy ABAC (EP-ABAC) model

  • 1. 11 World-Leading Research with Real-World Impact! Prosunjit Biswas, Ravi Sandhu and Ram Krishnan University of Texas at San Antonio Institute for Cyber Security 1st Workshop on Attribute Based Access Control (ABAC 2016) Label-Based Access Control: An ABAC Model with Enumerated Authorization Policy
  • 2. 22 World-Leading Research with Real-World Impact! Outline Summary Background & motivation Enumerated authorization policy ABAC model Relationship with existing models Expressive power of LaBAC Conclusion
  • 3. 33 World-Leading Research with Real-World Impact! Summary We present an enumerated authorization policy ABAC model and understand its relationship with traditional access control models.
  • 5. 55 World-Leading Research with Real-World Impact! authorization policy Boolean expression E.g.: age(u)>18 Models: ABAC留, HGABAC Set of tuples {(age(u),19), (age(u),20), . (age(u),100)} [assuming range upper bound <=100] Models: Policy Machine, 2- sorted-RBAC
  • 6. 66 World-Leading Research with Real-World Impact! Logical-formula Auth. Policy Many ways to set up a policy - Authread (Authread allows manager to read TS objects from home or office).
  • 7. 77 World-Leading Research with Real-World Impact! Logical-formula Auth. Policy Update Authread so that manager can no longer read TS objects from home
  • 8. 88 World-Leading Research with Real-World Impact! Enumerated Auth. Policy Authread {(mng, home, TS), (mng,office,TS)} Auth`read { (mng, home, TS), (mng,office,TS)}
  • 9. 99 World-Leading Research with Real-World Impact! Logical formula vs enumerated policy Rich & flexible Easy to setup Concise Homogeneous Micro policy Easy to update Difficult to update Monolithic Heterogeneous Large in size Difficult to setup Pros Cons Logical formula authorization policy Enumerated authorization policy
  • 11. Characteristics Label vs Attribute Labels are attributes with tighter semantics Salient features of LaBAC Finite domain ABAC Simple enumerated ABAC model
  • 12. Family of LaBAC models
  • 13. LaBAC: Core model Examples UL={manager,employee} OL={TS,S} Tuple1= (manager,TS) Policyread = {tuple1, tuple2} Salient Characteristics: 1. One user and object attribute 2. Atomic valued tuples 3. Tuples represent micro-policies Figure 1 Figure 2
  • 14. LaBAC: Hierarchical model ULH={(manager,employee)} OLH={(protected, public)} Policya = {(employee,protected)} ImpliedPolicya = { (employee, protected), (manager, proteced), (employee,public), (manager, public} Examples Figure 1 Figure 2
  • 15. LaBAC: Constrained model uLabel assgn. cons: a user cannot be both manager & director. Session assgn. cons: at most one value can be activated in a session. oLabel assgn. cons: A object cannot be both private & public Policy cons: (employee, TS) can never be used. Examples Figure 1
  • 16. Relationship of LaBAC with other enumerated policy models
  • 17. LaBAC equivalent to 2-sorted-RBAC Figure 1: 2-sorted-RBAC Figure 2: LaBAC 2-sorted-RBAC vs LaBAC: 1. Use of attributes 2. Separation of object and action from permission
  • 18. LaBAC as an instance of Policy Machine Policy Machine mini Only ASSIGN and ASSOCIATION relation Default policy class Configuration of LaBAC in Policy Machine mini
  • 19. Flexibility in expressing traditional models
  • 21. LBAC in LaBAC LBAC assumptions: 1. Tranquility 2. Object operation: creation only
  • 23. Micro-policy in LaBAC micro-policy as the smallest unit of administration Example of a micro-policy: (manager, TS)
  • 24. What is next Any other form of representation for authorization policy? How expressive power of enumerated authorization policy is compared with that of logical-formula auth. policy? What would be the cost of storing large number of enumerated tuples?