Introducing Dynamic Identity and Access Management in Organizations

  • Michael Kunz
  • Ludwig Fuchs
  • Matthias Hummer
  • Günther Pernul
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9478)


Efficient and secure management of access to resources is a crucial challenge in today’s corporate IT environments. During the last years, introducing company-wide Identity and Access Management (IAM) infrastructures building on the Role-based Access Control (RBAC) paradigm has become the de facto standard for granting and revoking access to resources. Due to its static nature, the management of role-based IAM structures, however, leads to increased administrative efforts and is not able to model dynamic business structures. As a result, introducing dynamic attribute-based access privilege provisioning and revocation is currently seen as the next maturity level of IAM. Nevertheless, up to now no structured process for incorporating Attribute-based Access Control (ABAC) policies into static IAM has been proposed. This paper closes the existing research gap by introducing a novel migration guide for extending static IAM systems with dynamic ABAC policies. By means of conducting structured and tool-supported attribute and policy management activities, the migration guide supports organizations to distribute privilege assignments in an application-independent and flexible manner. In order to show its feasibility, we provide a naturalistic evaluation based on two real-world industry use cases.


Identity and Access Management IAM ABAC Policies 



The research leading to these results was supported by the “Bavarian State Ministry of Education, Science and the Arts” as part of the FORSEC research association.


  1. 1.
    Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise Privacy Authorization Language (EPAL 1.2). Submission to W3C (2003)Google Scholar
  2. 2.
    Aubert, J., Gateau, B., Incoul, C., Feltus, C.: SIM: an innovative business-oriented approach for a distributed access management. In: Proceedings of the 3rd International Conference on Information and Communication Technologies: From Theory to Applications (ICTTA), pp. 1–6 (2008)Google Scholar
  3. 3.
    Basel Committee on Banking Supervision: Basel III - A Global Regulatory Framework for More Resilient Banks and Banking Systems (2011)Google Scholar
  4. 4.
    Beckerle, M., Martucci, L.A.: Formal definitions for usable access control rule sets from goals to metrics. In: Proceedings of the 9th Symposium on Usable Privacy and Security (SOUPS), p. 2 (2013)Google Scholar
  5. 5.
    Bhatti, R., Bertino, E., Ghafoor, A.: X-FEDERATE: a policy engineering framework for federated access management. IEEE Trans. Softw. Eng. 32(5), 330–346 (2006)CrossRefGoogle Scholar
  6. 6.
    Bijon, K.Z., Krishman, R., Sandhu, R.: Constraints specification in attribute based access control. Science 2(3), 131 (2013)Google Scholar
  7. 7.
    Buecker, A., Andrews, S., Forster, C., Harlow, N., Lu, M., Muppidi, S., Norvill, T., Nye, P., Waller, G., White, E.T.: IT Security Policy Management Usage Patterns Using IBM Tivoli Security Policy Manager. IBM Redbooks (2011)Google Scholar
  8. 8.
    Chadwick, D.W., Inman, G.: Attribute aggregation in federated identity management. IEEE Comput. 42(5), 33–40 (2009)CrossRefGoogle Scholar
  9. 9.
    Elliott, A., Knight, S.: Role explosion: acknowledging the problem. In: Proceedings of the International Conference on Software Engineering Research and Practice (SERP), pp. 349–355 (2010)Google Scholar
  10. 10.
    Fuchs, L., Kunz, M., Pernul, G.: Role model optimization for secure role-based identity management. In: Proceedings of the 22nd European Conference on Information Systems (ECIS) (2014)Google Scholar
  11. 11.
    Fuchs, L., Pernul, G.: HyDRo – hybrid development of roles. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 287–302. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  12. 12.
    Fuchs, L., Pernul, G.: Qualitätssicherung im Identity- und Access Management. HMD Praxi. Wirtschaftsinformatik 50(1), 88–97 (2013)CrossRefGoogle Scholar
  13. 13.
    Fuchs, L., Pernul, G., Sandhu, R.: Roles in information security - a survey and classification of the research area. Comput. Secur. 30(8), 748–769 (2011)CrossRefGoogle Scholar
  14. 14.
  15. 15.
    Gupta, P., Stoller, S.D., Xu, Z.: Abductive analysis of administrative policies in rule-based access control. IEEE Trans. Dependable Secure Comput. 11(5), 412–424 (2014)CrossRefGoogle Scholar
  16. 16.
    Hamlen, K., Liu, P., Kantarcioglu, M., Thuraisingham, B., Yu, T.: Identity management for cloud computing: developments and directions. In: Proceedings of the 7th Annual Workshop on Cyber Security and Information Intelligence Research (CSIIRW), p. 32 (2011)Google Scholar
  17. 17.
    Han, W., Lei, C.: A survey on policy languages in network and security management. Comput. Netw. 56(1), 477–489 (2012)CrossRefGoogle Scholar
  18. 18.
    Heinrich, B., Kaiser, M., Klier, M.: How to measure data quality? a metric-based approach. In: Proceedings of the 6th International Conference on Computer and Information Science (ICIS) (2007)Google Scholar
  19. 19.
    Hovav, A., Berger, R.: Tutorial: identity management systems and secured access control. Commun. Assoc. Inf. Syst. 25(1), 42 (2009)Google Scholar
  20. 20.
    Hu, V.C., Ferraiolo, D., Kuhn, R., Schnitzer, A., Sandlin, K., Miller, R., Scarfone, K.: Guide to Attribute Based Access Control (ABAC) Definition and Considerations. Technical report NIST SP 800–162 (2014)Google Scholar
  21. 21.
    Huang, J., Nicol, D.M., Bobba, R., Huh, J.H.: A framework integrating attribute-based policies into role-based access control. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 187–196 (2012)Google Scholar
  22. 22.
    Hummer, M., Kunz, M., Netter, M., Fuchs, L., Pernul, G.: Advanced identity and access policy management using contextual data. In: Proceedings of the 11th Internatinal Conference on Availability, Reliability and Security (ARES) (2015)Google Scholar
  23. 23.
    Iso: ISO/IEC 27000 Information Technology – Security Techniques – Information Security Management Systems – Overview and Vocabulary (2009)Google Scholar
  24. 24.
    Jin, X., Krishnan, R., Sandhu, R.: A unified attribute-based access control model covering DAC, MAC and RBAC. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 41–55. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  25. 25.
    Jin, Z., Xu, J., Xu, M., Zheng, N.: An attribute-oriented model for identity management. In: Proceedings of the International Conference on E-Education, E-Business, E-Management and E-Learning (IC4E), pp. 440–444 (2010)Google Scholar
  26. 26.
    Kunz, M., Fuchs, L., Netter, M., Pernul, G.: Analyzing quality criteria in role-based identity and access management. In: Proceedings of the 1st International Conference on Information Systems Security and Privacy (ICISSP) (2015)Google Scholar
  27. 27.
    Kunz, M., Hummer, M., Fuchs, L., Netter, M., Pernul, G.: Analyzing recent trends in enterprise identity management. In: Proceedings of the 25th International Workshop on Database and Expert Systems Applications (DEXA), pp. 273–277 (2014)Google Scholar
  28. 28.
    Lu, J., Li, R., Hu, J., Xu, D.: Inconsistency resolving of safety and utility in access control. J. Wirel. Commun. Networking 1, 1–12 (2011)Google Scholar
  29. 29.
    Marfia, F.: Using abductive and inductive inference to generate policy explanations. In: Proceedings of the International Conference on Security and Cryptography (SECRYPT) (2014)Google Scholar
  30. 30.
    Medvet, E., Bartoli, A., Carminati, B., Ferrari, E.: Evolutionary inference of attribute-based access control policies. In: Gaspar-Cunha, A., Henggeler Antunes, C., Coello, C.C. (eds.) EMO 2015. LNCS, vol. 9018, pp. 351–365. Springer, Heidelberg (2015) Google Scholar
  31. 31.
    Meier, S., Fuchs, L., Pernul, G.: Managing the access grid-a process view to minimize insider misuse risks. In: Proceedings of the 11th International Tagung Wirtschaftsinformatik (WI) (2013)Google Scholar
  32. 32.
    Ngo, C., Makkes, M.X., Demchenko, Y., De Laat, C.: Multi-data-types interval decision diagrams for XACML evaluation engine. In: Proceedings of the 11th Annual International Conference on Privacy, Security and Trust (PST), pp. 257–266 (2013)Google Scholar
  33. 33.
    OASIS: eXtensible Access Control Markup Language (XACML) Version 3.0 (2013)Google Scholar
  34. 34.
    O’Connor, A.C., Loomis, R.J.: 2010 Economic Analysis of Role-Based Access Control. Technical report (2010)Google Scholar
  35. 35.
    Park, J., Zhang, X., Sandhu, R.: Attribute mutability in usage control. In: Farkas, C., Samarati, P. (eds.) Research Directions in Data and Applications Security XVIII, pp. 15–29. Springer, US (2004)CrossRefGoogle Scholar
  36. 36.
    Priebe, T., Dobmeier, W., Muschall, B., Pernul, G.: ABAC-Ein Referenzmodell für attributbasierte Zugriffskontrolle. In: Sicherheit, vol. 62, pp. 285–296 (2005)Google Scholar
  37. 37.
    Priebe, T., Dobmeier, W., Schläger, C., Kamprath, N.: Supporting attribute-based access control in authorization and authentication infrastructures with ontologies. J. Softw. 2(1), 27–38 (2007)CrossRefGoogle Scholar
  38. 38.
    Pries-Heje, J., Baskerville, R., Venable, J.: Strategies for design science research evaluation. In: Proceedings of the 16th European Conference on Information Systems (ECIS), pp. 1–12 (2008)Google Scholar
  39. 39.
    Rahm, E., Do, H.H.: Data cleaning: problems and current approaches. IEEE Database Eng. Bull. 23(4), 3–13 (2000)Google Scholar
  40. 40.
    Redman, T.C.: Data Quality for the Information Age, 1st edn. Artech House Inc., Norwood (1997)Google Scholar
  41. 41.
    Rudolph, M., Schwarz, R., Jung, C.: Security policy specification templates for critical infrastructure services in the cloud. In: Proceedings of the 9th International Conference for Internet Technology and Secured Transactions (ICITST), pp. 61–66 (2014)Google Scholar
  42. 42.
    Sandhu, R.: The authorization leap from rights to attributes: maturation or chaos? In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 69–70 (2012)Google Scholar
  43. 43.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 2, 38–47 (1996)CrossRefGoogle Scholar
  44. 44.
    Seamons, K., Winslett, M., Yu, T., Smith, B., Child, E., Jacobson, J., Mills, H., Yu, L.: Requirements for policy languages for trust negotiation. In: Proceedings of the 3rd International Workshop on Policies for Distributed Systems and Networks (POLICY), pp. 68–79 (2002)Google Scholar
  45. 45.
    SOX: Sarbanes-Oxley Act of 2002, PL 107–204, 116 Stat 745 (2002)Google Scholar
  46. 46.
    Stepien, B., Felty, A., Matwin, S.: A non-technical XACML target editor for dynamic access control systems. In: Proceedings of the International Conference on Collaboration Technologies and Systems (CTS), pp. 150–157 (2014)Google Scholar
  47. 47.
    Stepien, B., Matwin, S., Felty, A.: An algorithm for compression of XACML access control policy sets by recursive subsumption. In: Proceedings of the 7th International Conference on Availability, Reliability and Security (ARES), pp. 161–167 (2012)Google Scholar
  48. 48.
    Strembeck, M.: Engineering of Dynamic Policy-Based Systems: A Policy Engineering of Dynamic Policy-Based Systems: Language Based Approach. Hab. Th. (2008)Google Scholar
  49. 49.
    Xiao, X., Paradkar, A., Thummalapenta, S., Xie, T.: Automated extraction of security policies from natural-language software documents. In: Proceedings of the 20th International Symposium on the Foundations of Software Engineering (SIGSOFT), p. 12 (2012)Google Scholar
  50. 50.
    Xu, Z., Stoller, S.D.: Mining attribute-based access control policies from RBAC policies. In: Proceedings of the 10th International Conference and Expo on Emerging Technologies for a Smarter World (CEWIT), pp. 1–6 (2013)Google Scholar
  51. 51.
    Xu, Z., Stoller, S.D.: Mining attribute-based access control policies from logs. In: Atluri, V., Pernul, G. (eds.) DBSec 2014. LNCS, vol. 8566, pp. 276–291. Springer, Heidelberg (2014) Google Scholar
  52. 52.
    Yuan, E., Tong, J.: Attributed based access control (ABAC) for web services. In: Proceedings of the International Conference on Web Services (ICWS), p. 569 (2005)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Michael Kunz
    • 1
  • Ludwig Fuchs
    • 2
  • Matthias Hummer
    • 2
  • Günther Pernul
    • 1
  1. 1.Department of Information SystemsUniversity of RegensburgRegensburgGermany
  2. 2.Nexis GmbHRegensburgGermany

Personalised recommendations