Inter-ReBAC: Inter-operation of Relationship-Based Access Control Model Instances

Jason Crampton, James Sellwood

Research output: Chapter in Book/Report/Conference proceedingConference contribution

101 Downloads (Pure)


Relationship-based access control (ReBAC) models, where authorization policies and decisions are made using the relationships which exist between the entities of a modelled system, have attracted considerable attention in recent years. ReBAC can now be applied to general computing environments more diverse and complex than the social networking applications in which ReBAC was first studied. However, up until now ReBAC models have only considered the evaluation of requests made within a single system, and therefore within a single instance of a model.

We present a framework through which model instances can inter-operate, such that requests initiated in one system may target resources in a second system. Further, our framework is able to support requests passing through a chain of inter-connected systems, thus enabling many systems to be connected together or a single large system to be decomposed into numerous component subsystems. We choose to develop an inter-operation framework for the RPPM model defined by Crampton and Sellwood. RPPM supports the modelling of general computing environments, to which inter-operation is highly relevant, and employs security principals and a two step authorization process, which are naturally suited to the partitioning of access control processes. However, the underlying motivation and approach of this work are applicable to other relationship-based access control models, although alternative implementations may be required depending on a model's capabilities.
Original languageEnglish
Title of host publicationData and Applications Security and Privacy XXX
Number of pages10
ISBN (Electronic)978-3-319-41483-6
ISBN (Print)978-3-319-41482-9
Publication statusE-pub ahead of print - 2 Jul 2016
Event30th IFIP WG 11.3 Conference on Data and Applications Security, DBSec 2016 - Trento, Italy
Duration: 18 Jul 201620 Jul 2016

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
ISSN (Print)03029743
ISSN (Electronic)16113349


Conference30th IFIP WG 11.3 Conference on Data and Applications Security, DBSec 2016


  • Access control
  • Authorization
  • Path condition
  • Policy graph
  • Principal activation
  • Principal matching
  • Relationship
  • Secure inter-operation

Cite this