Role templates for content-based access control

Giuri, Luigi; Iglio, P.

doi:10.1145/266741.266773

Cited by 122 publications

(66 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The main difference between this work and these four is our focus on attributebased tree-structured policy templates supported by a concrete policy language, the generalization of policy templates into policy modules and the validation of the potential of policy templates. In addition to these authors, templates have also been discussed in the evolution from role-based access control (RBAC, [7]) to ABAC (e.g., [9,13]). Such role templates were eventually generalized into attribute-based policies, for which STAPL in turn introduces policy templates.…”

Section: Related Work and Discussionmentioning

confidence: 99%

Improving Reuse of Attribute-Based Access Control Policies Using Policy Templates

Decat

Moeys

Lagaisse

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Access control is key to limiting the actions of users in an application and attribute-based policy languages such as XACML allow to express a wide range of access rules. As these policy languages become more widely used, policies grow both in size and complexity. Modularity and reuse are key to specifying and managing such policies effectively. Ideally, complex or domain-specific policy patterns are defined once and afterwards instantiated by security experts in their application-specific policies. However, current policy languages such as XACML provide only limited features for modularity and reuse. To address this issue, we introduce policy templates as part of a novel attribute-based policy language called STAPL. Policy templates are policies containing unbound variables that can be specified when instantiating the template in another policy later on. STAPL supports four types of policy templates with increasing complexity and expressiveness. This paper illustrates how these policy templates can be used to define reusable policy patterns and validates that policy templates are an effective means to simplify the specification of large and complex attribute-based policies.

show abstract

Section: Related Work and Discussionmentioning

confidence: 99%

Improving Reuse of Attribute-Based Access Control Policies Using Policy Templates

Decat

Moeys

Lagaisse

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…The database community has also addressed the enforcement of instance-level access control policies (e.g., [12,26,20,22]). In particular, [12] extends RBAC with parameterized role templates, where the parameters of a template refer to database columns or constants and serve a similar function as our role parameters.…”

Section: Related Workmentioning

confidence: 99%

“…In particular, [12] extends RBAC with parameterized role templates, where the parameters of a template refer to database columns or constants and serve a similar function as our role parameters. Implementing fine-grained access control policies at the database level has two key advantages: one can define policies directly on the data to be protected and the filtering of records can be integrated with query optimization.…”

Section: Related Workmentioning

confidence: 99%

Fine-Grained Access Control with Object-Sensitive Roles

Fischer

Marino

Majumdar

et al. 2009

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Role-based access control (RBAC) is a common paradigm to ensure that users have sufficient rights to perform various system operations. In many cases though, traditional RBAC does not easily express application-level security requirements. For instance, in a medical records system it is difficult to express that doctors should only update the records of their own patients. Further, traditional RBAC frameworks like Java's Enterprise Edition rely solely on dynamic checks, which makes application code fragile and difficult to ensure correct. We introduce Object-sensitive RBAC (ORBAC), a generalized RBAC model for object-oriented languages. ORBAC resolves the expressiveness limitations of RBAC by allowing roles to be parameterized by properties of the business objects being manipulated. We formalize and prove sound a dependent type system that statically validates a program's conformance to an ORBAC policy. We have implemented our type system for Java and have used it to validate fine-grained access control in the OpenMRS medical records system.

show abstract

“…Since then there are many extended proposals for modeling fine-grained access control. We have role-templates [10], domain-type enforcement [2], content-based [20], team-based [9], and instance-level [11], just to name a few. Basically, they all attempt to base access control constraints on some more detailed relationships among the user, the function requested, and the data to be accessed, as we did here.…”

Section: Related Workmentioning

confidence: 99%

A Practical Aspect Framework for Enforcing Fine-Grained Access Control in Web Applications

Chen

Huang

2005

Information Security Practice and Experience

View full text Add to dashboard Cite

Abstract. Access control is a system-wide concern that has both a generic nature and an application dependent characteristic. It is generic as many functions must be protected with restricted access, yet the rule to grant a request is highly dependent on the application state. Hence it is common to see the code for implementing access control scattered over the system and tangled with the functional code, making the system difficult to maintain. This paper addresses this issue for Web applications by presenting a practical access control framework based on aspect-oriented programming (AOP). Our approach accommodates a wide range of access control requirements of different granularity. AOP supports the modular implementation of access control while still enables the code to get a hold of the application state. Moreover, framework technology offers a balanced view between reuse and customization. As a result, our framework is able to enforce fine-grained access control for Web applications in a highly adaptable manner.

show abstract

Role templates for content-based access control

Cited by 122 publications

References 5 publications

Improving Reuse of Attribute-Based Access Control Policies Using Policy Templates

Improving Reuse of Attribute-Based Access Control Policies Using Policy Templates

Fine-Grained Access Control with Object-Sensitive Roles

A Practical Aspect Framework for Enforcing Fine-Grained Access Control in Web Applications

Contact Info

Product

Resources

About