Abstract

There are two major techniques for specifying authorization policies in Attribute Based Access Control (ABAC) models. The more conventional approach is to define policies by using logical formulas involving attribute values. Examples in this category include ABACα, HGABAC and XACML. The alternate technique for expressing policies is by enumeration. Policy Machine (PM) and 2-sorted-RBAC fall into the later category. In this paper, we present an ABAC model named LaBAC (Label-Based Access Control) which adopts the enumerated style for expressing authorization policies. LaBAC can be viewed as a particularly simple instance of the Policy Machine. LaBAC uses one user attribute (uLabel) and one object attribute (oLabel). An authorization policy in LaBAC for an action is an enumeration using these two attributes. Thus, LaBAC can be considered as a bare minimum ABAC model. We show equivalence of LaBAC and 2-sorted-RBAC with respect to theoretical expressive power. Furthermore, we show how to configure the traditional RBAC (Role-Based Access Control) and LBAC (Lattice-Based Access Control) models in LaBAC to illustrate its expressiveness.

Links

• ACM

Citation

Biswas, P., Sandhu, R., Krishnan, R., 2016. Label-Based Access Control: An ABAC Model with Enumerated Authorization Policy, in: Proceedings of the 2016 ACM International Workshop on Attribute Based Access Control - ABAC ’16. Presented at the the 2016 ACM International Workshop, ACM Press, New Orleans, Louisiana, USA, pp. 1–12. https://doi.org/10/gh2xpj