The paper contains an analytical overview of the basic models and methods for access control from the traditional ones (DAC, MAC, RBAC) to the latest developments - numerous models implementing attribute based access control (ABAC). The model of typed attribute based access control (TAAC) being developed currently is described. The following disadvantages of traditional models are pointed out: identification of entities with unique names; access rights redundancy (“coarse-grained access control”); difficult managing large number of users; operating in closed environments; the inability to use integrated security policies; lack of built-in administration tools. It is found out that to ensure the safe sharing of information resources in both local and global computing environments, access control models must meet the requirements of universality, flexibility and ease of administration while performing the following tasks: identification of entities by several features for fine-grained access control; design and use of multiple access control policies to implement the “multiple policy” paradigm and adapt the system to work in various environments; administration as a means for dynamic policy modeling and convenient privilege managing a large number of users. The advantages and disadvantages of different types of ABAC models are considered. The advantages are: identification of entities by sets of attributes; “fine-grained access control”; flexibility and expressiveness of model specification languages; the possibility of creating new and modeling traditional methods of access control; relative ease of administration; managing privileges of groups of users. The main disadvantage of ABAC is the complexity of calculating attribute values. It is shown that the TAAC models meet the above requirements and provide the following: “fine-grained access control” by identifying entities with the sets of typed attributes; decrease in complexity and increase in speed of calculations; management privileges of hierarchical groups of subjects and objects; dynamic policy construction; multi-criteria access control.
Download file
Counter downloads: 195
- Title Analysis of the methods for attribute-based access control
- Headline Analysis of the methods for attribute-based access control
- Publesher
Tomsk State University - Issue Prikladnaya Diskretnaya Matematika - Applied Discrete Mathematics 44
- Date:
- DOI 10.17223/20710410/44/4
Keywords
атрибутное разграничение доступа (ABAC), типизированное атрибутное разграничение доступа (ТАРД), DAC, MAC, RBAC, политика разграничения доступа, язык спецификации, синтаксис, семантика, моделирование, attribute-based access control (ABAC), typed attribute-based access control (TAAC), DAC, MAC, RBAC, access control policy, specification language, syntax, semantics, modelingAuthors
References
Karp A., Haury H., and Davis M. From ABAC to ZBAC: The evolution of access control models // ISSA J. 2010. No.8. P.22-30
Sandhu R. S. and Samarati P. Access control: principle and practice // IEEE Commun. Mag. 1994. No. 32(9). P. 40-48
Девянин П. Н. Модели безопасности компьютерных систем: учеб. пособие для вузов. M. : Академия, 2005. 144с
Гайдамакин Н. А. Разграничение доступа к информации в компьютерных системах. Екатеринбург: Изд-во Урал. ун-та, 2003. 328 с
Hosmer H. The multipolicy paradigm for trusted systems // Proc. NSPW '92-93. ACM, N. Y.: ACM, 1993. P.19-32
Lang B. et al. A flexible attribute based access control method for grid computing // J. Grid Comput. 2009. No. 7(2). P. 169-180
Hu V. C., Ferraiolo D., Kuhn R., et al. Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST Special Publication, 800:162, 2014. http://dx.doi. org/10.6028/NIST.SP.800-162
https://nccoe.nist.gov/sites/default/files/nccoe/NIST_SP1800-3c_ABAC_0.pdf - NCCOE. Attribute Based Access Control How-to Guides for Security Engineers. Accessed November 25, 2015
Servos D. and Osborn S. Current research and open problems in attribute-based access control // ACM Computing Surveys. 2017. V. 49. Iss. 4. Art. 65
Jin X., Krishnan R., and Sandhu R. S. A unified attribute-based access control model covering DAC, MAC and RBAC // LNCS. 2012. V.7371. P. 41-55
Servos D. and Osborn S. HGABAC: Towards a formal model of hierarchical attribute-based access control // Foundations and Practice of Security. Springer, 2014. P. 187-204
Yuan E. and Tong J. Attributed based access control (ABAC) for web services // Proc. ICWS'2005. Washington, 2005. P. 561-569
Biswas R., Sandhu R., and Krishnan R. Label-based access control: An ABAC model with enumerated authorization policy // Proc. ABAC'16. N.Y.: ACM, 2016. P. 1-12
Biswas P., Sandhu R., and Krishnan R. A. A comparison of logical-formula and enumerated authorization policy ABAC models // LNCS. 2016. V. 9766. P. 122-129
Shen H. and Hong F. An attribute-based access control model for web services // Proc. PDCAT'06. IEEE, 2006. P. 74-79
Wang L., Wijesekera D., and Jajodia S. A logic-based framework for attribute based access control // Proc. FMSE'04. ACM, 2004. P. 45-55
Ferrailo D., Atluri V., and Gavrila S. The Policy Machine: A novel architecture and framework for access control policy specification and enforcement // J. Systems Architecture. 2011. V. 57(4). P. 412-424
Kuijper W. and Ermolaev V. Sorting out role based access control // Proc. 19th ACM SACMAT. ACM, 2014. P. 63-74
Ferraiolo D., Chandramouli R., Hu V. C., and Kuhn R. A. A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications, Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). Natl. Inst. Stand. Technol. Spec. Publ. 800-178, 2016. 68p
Wakefield R. Policy Management in a Distributed Computing Environment. http: //www.cs.colostate.edu/~waker/papers/CS556_Policy_Management_in_Distributed_ Computing.pdf. 2008
Калимолдаев M. H., Бияшев Р. Г., Рог О. А. Формальное представление функциональной модели многокритериальной системы разграничения и контроля доступа к информационным ресурсам // Проблемы информатики. 2014. №1(22). С. 43-55
Rog O. A. Polymorphic typing of entities in the multi-criteria system of access control and a task of constructing types // Inform. Technologies, Management and Society. 12th Intern. Scientific Conf. Riga, April 16-17, 2014. P. 66
Бияшев Р. Г., Калимолдаев M. H., Рог О. А. Полиморфная типизация сущностей и задача конструирования механизма многокритериального разграничения доступа // Изв. НАН РК. Сер. физ.-мат. 2014. № 5. С. 33-41
Бияшев Р. Г., Калимолдаев M. H., Рог О. А. Конструирование систем многокритериального атрибутного разграничения доступа в облачных структурах // 11 Междунар. Азиатская школа-семинар «Проблемы оптимизации сложных систем». Чолпон-Ата, 27 июля-7 августа 2015. С. 148-152
Бияшев Р. Г., Калимолдаев M. H., Рог О. А. Логический подход к организации многокритериального атрибутного разграничения доступа // Int. Conf. «Computational and Informational Technologies in Science, Engineering and Education» (September 24-27, 2015). Almaty: Казак университетi, 2015. P. 86
Бияшев Р. Г., Калимолдаев M. H., Рог О. А. Представление ограничений моделей атрибутного разграничения доступа // Изв. НАН РК. Сер. физ.-мат. 2016. № 1. С. 58-65
Бияшев Р. Г., Калимолдаев M. H., Рог О. А. Моделирование семантики типизированного атрибутного разграничения доступа // Проблемы информатики. 2017. № 1. С. 25-37
Калимолдаев M. H., Бияшев Р. Г., Рог О. А. Применение логики для построения моделей разграничения доступа к информации // Докл. НАН РК. 2017. № 3. С. 48-54
Калимолдаев M. H., Бияшев Р. Г., Рог О. А. Основы архитектуры программных систем для осуществления типизированного атрибутного разграничения доступа // Современные проблемы информатики и вычислительных технологий: Материалы науч. конф. (29-30 июня 2017). Алматы, 2017. С. 88-95
Калимолдаев M. H., Бияшев Р. Г., Рог О. А. О применении типизированного атрибутного разграничения доступа в глобальных вычислительных средах // Изв. науч.-технич. общества «КАХАК». Алматы, 2017. №3(58). С. 30-36
Analysis of the methods for attribute-based access control | Prikladnaya Diskretnaya Matematika - Applied Discrete Mathematics. 2019. № 44. DOI: 10.17223/20710410/44/4
Download full-text version
Counter downloads: 364