TY - GEN

T1 - Inter-ReBAC

T2 - 30th IFIP WG 11.3 Conference on Data and Applications Security, DBSec 2016

AU - Crampton, Jason

AU - Sellwood, James

PY - 2016/7/2

Y1 - 2016/7/2

N2 - Relationship-based access control (ReBAC) models, where authorization policies and decisions are made using the relationships which exist between the entities of a modelled system, have attracted considerable attention in recent years. ReBAC can now be applied to general computing environments more diverse and complex than the social networking applications in which ReBAC was first studied. However, up until now ReBAC models have only considered the evaluation of requests made within a single system, and therefore within a single instance of a model.We present a framework through which model instances can inter-operate, such that requests initiated in one system may target resources in a second system. Further, our framework is able to support requests passing through a chain of inter-connected systems, thus enabling many systems to be connected together or a single large system to be decomposed into numerous component subsystems. We choose to develop an inter-operation framework for the RPPM model defined by Crampton and Sellwood. RPPM supports the modelling of general computing environments, to which inter-operation is highly relevant, and employs security principals and a two step authorization process, which are naturally suited to the partitioning of access control processes. However, the underlying motivation and approach of this work are applicable to other relationship-based access control models, although alternative implementations may be required depending on a model's capabilities.

AB - Relationship-based access control (ReBAC) models, where authorization policies and decisions are made using the relationships which exist between the entities of a modelled system, have attracted considerable attention in recent years. ReBAC can now be applied to general computing environments more diverse and complex than the social networking applications in which ReBAC was first studied. However, up until now ReBAC models have only considered the evaluation of requests made within a single system, and therefore within a single instance of a model.We present a framework through which model instances can inter-operate, such that requests initiated in one system may target resources in a second system. Further, our framework is able to support requests passing through a chain of inter-connected systems, thus enabling many systems to be connected together or a single large system to be decomposed into numerous component subsystems. We choose to develop an inter-operation framework for the RPPM model defined by Crampton and Sellwood. RPPM supports the modelling of general computing environments, to which inter-operation is highly relevant, and employs security principals and a two step authorization process, which are naturally suited to the partitioning of access control processes. However, the underlying motivation and approach of this work are applicable to other relationship-based access control models, although alternative implementations may be required depending on a model's capabilities.

KW - Access control

KW - Authorization

KW - Path condition

KW - Policy graph

KW - Principal activation

KW - Principal matching

KW - Relationship

KW - Secure inter-operation

UR - http://www.scopus.com/inward/record.url?scp=84979561829&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-41483-6_7

DO - 10.1007/978-3-319-41483-6_7

M3 - Conference contribution

AN - SCOPUS:84979561829

SN - 978-3-319-41482-9

VL - 9766

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 96

EP - 105

BT - Data and Applications Security and Privacy XXX

PB - Springer-Verlag

Y2 - 18 July 2016 through 20 July 2016

ER -