A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC

  • Xin Jin
  • Ram Krishnan
  • Ravi Sandhu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7371)


Recently, there has been considerable interest in attribute based access control (ABAC) to overcome the limitations of the dominant access control models (i.e, discretionary-DAC, mandatory-MAC and role based-RBAC) while unifying their advantages. Although some proposals for ABAC have been published, and even implemented and standardized, there is no consensus on precisely what is meant by ABAC or the required features of ABAC. There is no widely accepted ABAC model as there are for DAC, MAC and RBAC. This paper takes a step towards this end by constructing an ABAC model that has “just sufficient” features to be “easily and naturally” configured to do DAC, MAC and RBAC. For this purpose we understand DAC to mean owner-controlled access control lists, MAC to mean lattice-based access control with tranquility and RBAC to mean flat and hierarchical RBAC. Our central contribution is to take a first cut at establishing formal connections between the three successful classical models and desired ABAC models.




  1. 1.
    OASIS, Extensible access control markup language (XACML), v2.0 (2005)Google Scholar
  2. 2.
    OASIS, Security assertion markup language (SAML), v2.0 (2005)Google Scholar
  3. 3.
    Abdallah, A.E., Khayat, E.J.: A formal model for parameterized role-based access control. In: Formal Aspects in Security and Trust (2004)Google Scholar
  4. 4.
    Al-Kahtani, M.A., Sandhu, R.S.: A model for attribute-based user-role assignment. In: ACSAC (2002)Google Scholar
  5. 5.
    Bertino, E., Catania, B., Ferrari, E., Perlasca, P.: A logical framework for reasoning about access control models. In: SACMAT (2001)Google Scholar
  6. 6.
    Bonatti, P.A., Samarati, P.: Regulating service access and information release on the web. In: ACM CCS (2000)Google Scholar
  7. 7.
    Bonatti, P.A., Samarati, P.: A uniform framework for regulating service access and information release on the web. J. Comp. Secur. (2002)Google Scholar
  8. 8.
    Chadwick, D.W., Otenko, A., Ball, E.: Role-based access control with X.509 attribute certificates. IEEE Internet Computing (2003)Google Scholar
  9. 9.
    Damiani, E., di Vimercati, S.D.C., Samarati, P.: New paradigms for access control in open environments. In: Int. Sym. on Sig. Proc. and Info. Tech. (2005)Google Scholar
  10. 10.
    Evered, M.: Supporting parameterised roles with object-based access control. In: HICSS (2003)Google Scholar
  11. 11.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Richard Kuhn, D., Chandramouli, R.: Proposed nist standard for role-based access control. ACM Trans. Inf. Syst. Secur. (2001)Google Scholar
  12. 12.
    Fischer, J., Marino, D., Majumdar, R., Millstein, T.: Fine-Grained Access Control with Object-Sensitive Roles. In: Drossopoulou, S. (ed.) ECOOP 2009. LNCS, vol. 5653, pp. 173–194. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  13. 13.
    Fuchs, L., Pernul, G., Sandhu, R.: Roles in information security: A survey and classification of the research area. Comp. and Secur. (2011)Google Scholar
  14. 14.
    Ge, M., Osborn, S.L.: A design for parameterized roles. In: DBSec (2004)Google Scholar
  15. 15.
    Giuri, L., Iglio, P.: Role templates for content-based access control. In: ACM Workshop on RBAC (1997)Google Scholar
  16. 16.
    Jajodia, S., Samarati, P., Sapino, M.L., Subrahmanian, V.S.: Flexible support for multiple access control policies. ACM Trans. Database Syst. (2001)Google Scholar
  17. 17.
    El Kalam, A.A., Benferhat, S., Miège, A., El Baida, R., Cuppens, F., Saurel, C., Balbiani, P., Deswarte, Y., Trouessin, G.: Organization based access control. In: POLICY (2003)Google Scholar
  18. 18.
    Kandala, S., Sandhu, R., Bhamidipati, V.: An attribute based framework for risk-adaptive access control models. In: ARES (2011)Google Scholar
  19. 19.
    Lang, B., Foster, I.T., Siebenlist, F., Ananthakrishnan, R., Freeman, T.: A flexible attribute based access control method for grid computing. J. Grid Comput. (2009)Google Scholar
  20. 20.
    Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust management framework. In: 2002 IEEE S&P (2002)Google Scholar
  21. 21.
    Park, J., Sandhu, R.: The UCONabc usage control model. ACM Trans. Inf. Syst. Secur. (2004)Google Scholar
  22. 22.
    Sandhu, R.S.: Lattice-based access control models. IEEE Computer (1993)Google Scholar
  23. 23.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer (1996)Google Scholar
  24. 24.
    Sandhu, R.S., Samarati, P.: Access control: Principles and practice. IEEE Com. Mag. (1994)Google Scholar
  25. 25.
    Schläger, C., Sojer, M., Muschall, B., Pernul, G.: Attribute-Based Authentication and Authorisation Infrastructures for E-Commerce Providers. In: Bauknecht, K., Pröll, B., Werthner, H. (eds.) EC-Web 2006. LNCS, vol. 4082, pp. 132–141. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  26. 26.
    Wang, L., Wijesekera, D., Jajodia, S.: A logic-based framework for attribute based access control. In: 2nd ACM Workshop on FMSE (2004)Google Scholar
  27. 27.
    Yong, J., Bertino, E., Toleman, M., Roberts, D.: Extended RBAC with role attributes. In: 10th Pacific Asia Conf. on Info. Sys. (2006)Google Scholar
  28. 28.
    Yu, T., Ma, X., Winslett, M.: Prunes: an efficient and complete strategy for automated trust negotiation over the internet. In: ACM CCS (2000)Google Scholar
  29. 29.
    Yu, T., Winslett, M., Seamons, K.E.: Interoperable strategies in automated trust negotiation. In: ACM CCS (2001)Google Scholar
  30. 30.
    Yu, T., Winslett, M., Seamons, K.E.: Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation. ACM Trans. Inf. Syst. Secur. (2003)Google Scholar
  31. 31.
    Yuan, E., Tong, J.: Attributed based access control (ABAC) for web services. In: Intl. ICWS (2005)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Xin Jin
    • 1
  • Ram Krishnan
    • 2
  • Ravi Sandhu
    • 1
  1. 1.Department of Computer ScienceInstitute for Cyber SecurityUSA
  2. 2.Dept. of Elect. and Computer Engg.Institute for Cyber SecurityUSA

Personalised recommendations