TY - GEN
T1 - A framework integrating attribute-based policies into role-based access control
AU - Huang, Jingwei
AU - Nicol, David Malcolm
AU - Bobba, Rakesh
AU - Huh, Jun Ho
PY - 2012/7/25
Y1 - 2012/7/25
N2 - Integrated role-based access control (RBAC) and attribute-based access control (ABAC) is emerging as a promising paradigm. This paper proposes a framework that uses attribute based policies to create a more traditional RBAC model. RBAC has been widely used, but has weaknesses: it is laborintensive and time-consuming to build a model instance, and a pure RBAC system lacks flexibility to efficiently adapt to changing users, objects, and security policies. Particularly, it is impractical to manually make (and maintain) user to role assignments and role to permission assignments in industrial context characterized by a large number of users and/or security objects. ABAC has features complimentary to RBAC, and merging RBAC and ABAC has become an important research topic. This paper proposes a new approach to integrating ABAC with RBAC, by modeling RBAC in two levels. The aboveground level is a standard RBAC model extended with "environment". This level retains the simplicity of RBAC, supporting RBAC model verification/review. The "underground" level is used to represent security knowledge in terms of attribute-based policies, which automatically create the simple RBAC model in the aboveground level. These attribute-based policies bring to RBAC the advantages of ABAC: they are easy to build and easy to adapt to changes. Using this framework, we tackle the problem of permission assignment for large scale applications. This model is motivated by the characteristics and requirements of industrial control systems, and reflects in part certain approaches and practices common in the industry.
AB - Integrated role-based access control (RBAC) and attribute-based access control (ABAC) is emerging as a promising paradigm. This paper proposes a framework that uses attribute based policies to create a more traditional RBAC model. RBAC has been widely used, but has weaknesses: it is laborintensive and time-consuming to build a model instance, and a pure RBAC system lacks flexibility to efficiently adapt to changing users, objects, and security policies. Particularly, it is impractical to manually make (and maintain) user to role assignments and role to permission assignments in industrial context characterized by a large number of users and/or security objects. ABAC has features complimentary to RBAC, and merging RBAC and ABAC has become an important research topic. This paper proposes a new approach to integrating ABAC with RBAC, by modeling RBAC in two levels. The aboveground level is a standard RBAC model extended with "environment". This level retains the simplicity of RBAC, supporting RBAC model verification/review. The "underground" level is used to represent security knowledge in terms of attribute-based policies, which automatically create the simple RBAC model in the aboveground level. These attribute-based policies bring to RBAC the advantages of ABAC: they are easy to build and easy to adapt to changes. Using this framework, we tackle the problem of permission assignment for large scale applications. This model is motivated by the characteristics and requirements of industrial control systems, and reflects in part certain approaches and practices common in the industry.
KW - Attribute-base access control
KW - Industrial control systems
KW - RBAC
KW - Role engineering
UR - http://www.scopus.com/inward/record.url?scp=84864058232&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84864058232&partnerID=8YFLogxK
U2 - 10.1145/2295136.2295170
DO - 10.1145/2295136.2295170
M3 - Conference contribution
AN - SCOPUS:84864058232
SN - 9781450312950
T3 - Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT
SP - 187
EP - 196
BT - SACMAT'12 - Proceedings of the 17th ACM Symposium on Access Control Models and Technologies
T2 - 17th ACM Symposium on Access Control Models and Technologies, SACMAT'12
Y2 - 20 June 2012 through 22 June 2012
ER -