An Administrative Model for Relationship-Based Access Control

Stoller, Scott D.

doi:10.1007/978-3-319-20810-7_4

Cited by 9 publications

(17 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The most comprehensive administrative model for ReBAC was introduced by Stoller () to perform administrative operations within the formalization of Crampton and Sellwood (, ). The model classifies the administrative operations into four classes: Additions and deletions of relationships edges Additions and deletions of objects Additions and deletions of policies Setting of systemwide defaults and conflict‐resolution strategies …”

Section: Administrative Operationsmentioning

confidence: 99%

“…Policies associated with add _ obj can refer to s and o 2 but not o 1 . Stoller () does not ask anything about n r , but since every object must have a type, this edge can be to the type_of relationship and o 2 the type of o 1 .…”

Section: Administrative Operationsmentioning

confidence: 99%

“…Moreover, if a policy π 2 applies to a request ( s , add _ pol , π 1 ) then, the request is granted if under any consistent protection state π 1 implies π 2 . Stoller () describes a method to perform this checking for the policy specification language of Crampton and Sellwood (). But, checking this implication seems very similar to the problem of query containment in relational databases, which is a computationally hard problem in most cases (Florescu, Levy, & Suciu, ).…”

Section: Administrative Operationsmentioning

confidence: 99%

See 2 more Smart Citations

Relationship‐based access control: More than a social network access control model

Lobo

2018

WIREs Data Min & Knowl

View full text Add to dashboard Cite

show abstract

Section: Administrative Operationsmentioning

confidence: 99%

Section: Administrative Operationsmentioning

confidence: 99%

Section: Administrative Operationsmentioning

confidence: 99%

See 1 more Smart Citation

Relationship‐based access control: More than a social network access control model

Lobo

2018

WIREs Data Min & Knowl

View full text Add to dashboard Cite

show abstract

“…All the models reviewed so far are operational models. Recently a number of ReBAC administrative models have also been proposed for general purpose ReBAC [19,25,49] which consider graph dynamics such as adding/deleting nodes (entities) and or edges (relationships). In particular, [19] introduces the concept of dependent edge in ReBAC and considering dependencies during edge deletion.…”

Section: Rebac Beyond Online Social Environmentmentioning

confidence: 99%

Classifying and Comparing Attribute-Based and Relationship-Based Access Control

Ahmed

Sandhu

Park

2017

Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy

View full text Add to dashboard Cite

Attribute-based access control (ABAC) expresses authorization policy via attributes while relationship-based access control (ReBAC) does so via relationships. While ABAC concepts have been around for a long time, ReBAC is relatively recent emerging with its essential application in online social networks. Even as ABAC and ReBAC continue to evolve, there are conflicting claims in the literature regarding their comparison. It has been argued that ABAC can subsume ReBAC since attributes can encode relationships. Conversely there are claims that the multilevel (or indirect) relations of ReBAC bring fundamentally new capabilities. So far there is no rigorous comparative study of ABAC vis a vis ReBAC.This paper presents a comparative analysis of ABAC and ReBAC, and shows how various ReBAC features can be realized with different types of ABAC. We first identify several attribute types such as entity/non-entity and structured attributes that significantly influence ABAC or ReBAC expressiveness. We then develop a family of ReBAC models and a separate family of ABAC models based on the identified attribute types, with the goal of comparing the expressive power of these two model families. Further, we identify different dynamics of the models that are crucial for model comparison. We also consider different solutions for representing multilevel relationships with attributes. Finally, the ABAC and ReBAC model families are compared in terms of relative expressiveness and performance implications.

show abstract

“…The main contribution of Rizvi et al [30] lies in the implementation of ReBAC in a medical record system, where administrative actions regarding relationship edges are addressed in terms of security preconditions and execution effects. Stoller's RPPM 2 model [33], on the other hand, focuses on policy specifications and provides a complete coverage of ReBAC administration, including changes on entities, edges, and policies.…”

Section: Introductionmentioning

confidence: 99%

Extended ReBAC Administrative Models with Cascading Revocation and Provenance Support

Cheng

Bijon²,

Sandhu

2016

Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies

View full text Add to dashboard Cite

Relationship-based access control (ReBAC) has been widely studied and applied in the domain of online social networks, and has since been extended to domains beyond social. Using ReBAC itself to manage ReBAC also becomes a natural research frontier, where we have two ReBAC administrative models proposed recently by Rizvi et al. [30] and Stoller [33]. In this paper, we extend these two ReBAC administrative models in order to apply ReBAC beyond online social networks, particularly where edges can have dependencies with each other and authorization for certain administrative operations requires provenance information. Basically, our policy specifications adopt the concepts of enabling precondition and applicability preconditions from Rizvi et al. [30]. Then, we address several issues that need to be considered in order to properly execute operation effects, such as cascading revocation and integrity constraints on the relationship graph. With these extended features, we show that our administrative models can provide the administration capability of the MT-RBAC model originally designed for multi-tenant collaborative cloud systems [34].

show abstract

An Administrative Model for Relationship-Based Access Control

Cited by 9 publications

References 16 publications

Relationship‐based access control: More than a social network access control model

Relationship‐based access control: More than a social network access control model

Classifying and Comparing Attribute-Based and Relationship-Based Access Control

Extended ReBAC Administrative Models with Cascading Revocation and Provenance Support

Contact Info

Product

Resources

About