Doctor of Philosophy
Osborn, Sylvia L.
Attribute-Based Access Control (ABAC) is a promising alternative to traditional models of access control (i.e. Discretionary Access Control (DAC), Mandatory Access Control (MAC) and Role-Based Access control (RBAC)) that has drawn attention in both recent academic literature and industry application. However, formalization of a foundational model of ABAC and large-scale adoption is still in its infancy. The relatively recent popularity of ABAC still leaves a number of problems unexplored. Issues like delegation, administration, auditability, scalability, hierarchical representations, etc. have been largely ignored or left to future work. This thesis seeks to aid in the adoption of ABAC by filling in several of these gaps.
The core contribution of this work is the Hierarchical Group and Attribute-Based Access Control (HGABAC) model, a novel formal model of ABAC which introduces the concept of hierarchical user and object attribute groups to ABAC. It is shown that HGABAC is capable of representing the traditional models of access control (MAC, DAC and RBAC) using this group hierarchy and that in many cases it’s use simplifies both attribute and policy administration. HGABAC serves as the basis upon which extensions are built to incorporate delegation into ABAC.
Several potential strategies for introducing delegation into ABAC are proposed, categorized into families and the trade-offs of each are examined. One such strategy is formalized into a new User-to-User Attribute Delegation model, built as an extension to the HGABAC model. Attribute Delegation enables users to delegate a subset of their attributes to other users in an "off-line" manner (not requiring connecting to a third party).
Finally, a supporting architecture for HGABAC is detailed including descriptions of services, high-level communication protocols and a new low-level attribute certificate format for exchanging user and connection attributes between independent services. Particular emphasis is placed on ensuring support for federated and distributed systems. Critical components of the architecture are implemented and evaluated with promising preliminary results.
It is hoped that the contributions in this research will further the acceptance of ABAC in both academia and industry by solving the problem of delegation as well as simplifying administration and policy authoring through the introduction of hierarchical user groups.
Summary for Lay Audience
Traditionally, access control policies have been based on the direct assignment of permissions or roles to users based on the user's identity. For example, Alice is granted permission to use the printer or Bob is grated the role of "Manager" and mangers can view employee salaries. Attribute-Based Access Control (ABAC) is a new take on access control that is identityless (i.e. the identity of the user is unknown at the time of policy creation). Instead, ABAC bases access control decisions on the attributes of the users (e.g. age, year level, certificates, etc.), the environment (e.g. date/time, number of users on-line, etc.) and objects being access (e.g. author, date created, security level, etc.). These attributes are related by an access control policies, for example, "if the user is 18 years old or older they can read a book with an adult rating".
Basing access control decisions on attributes allows for increased flexibility when creating policies and enables new users to be placed into the system without assigning permissions or roles manually beforehand. However, as ABAC is relatively new, there are a number of issues that must be resolved before ABAC can see wider acceptance outside of academia. These issues include, but are not limited to, a lack of a delegation model, no support for user and object groups and no single agreement on a standard formal model of ABAC. The goal of this thesis is to produce potential solutions to these problems and thus aid in the adoption of ABAC.
A new ABAC model, entitled Hierarchical Group and Attribute-Based Access Control (HGABAC), is introduced which adds user and object groups to ABAC. It is shown that these groups can help both simplify administration of ABAC systems and allow HGABAC to be backwards compatible with traditional identity based policies. A delegation model is added that allows users to delegate a number of their attributes to other users. This delegation ability is important in many real-world scenarios including continuing business functions when an employee is absent. Lastly, a supporting architecture is provided to fill in the gaps and act as a bridge between the theoretical HGABAC model and a real-world implementation.
Servos, Daniel, "Hierarchical Group and Attribute-Based Access Control: Incorporating Hierarchical Groups and Delegation into Attribute-Based Access Control" (2020). Electronic Thesis and Dissertation Repository. 6855.