Abstract
We describe a new model for Attribute Based Access Control (ABAC) which handles negative permissions and overrides in a single permissions processing mechanism. The model lends itself to the generation of explanations and permissions review, which can be used to foster end-user trust and confidence in the authorization system. We illustrate using a scenario in which a patient, with the assistance of an information specialist, develops consent directives for her medical records while receiving explanations and demonstrations. The model extends the approaches of ABAC and parameterized Role Based Access Control (RBAC) in that users, operations, and protected objects have properties, which we call classifiers. The simplest form of classifier is an attribute, as defined for ABAC; additional information is also handled by classifiers. Classifier values themselves are hierarchically-structured. A permission consists of a set of classifier values, and permissions review/determining an individual’s risk exposure is carried out by database querying. The model has general applicability to areas where tightly-controlled sharing of data and applications, with well-defined overrides, is required.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
ANSI 2012, American National Standard for Information Technology: Role Based Access Control, ANSI INCITS 359-2012. www.incits.org (2012)
Bacon, J., Moody, K., Yao, W.: A model of OASIS role-based access control and its support for active security. ACM Trans. Inf. Syst. Secur. 5(4), 492–540 (2002)
B-Method: www.methode-b.com (2013)
Blaze, M., Feigenbaum, J., Ioannidis, J.: The KeyNote Trust Management System Version 2. IETF RFC 2704. http://www1.cs.columbia.edu/~angelos/Papers/rfc2704.txt (1999)
BREAK-GLASS (SPC): Break-glass: an approach to granting emergency access to healthcare systems. White paper, joint NEMA/COCIR/JIRA Security and Privacy Committee (2004)
Brucker, A.D., Petritsch, H.: Extending access control models with break-glass. In: Proceedings of 2009 ACM Symposium on Access Control Models and Technologies (2009)
Goh, C., Baldwin, A.: Towards a more complete model of role. In: Proceedings of Third ACM Workshop on Role-Based Access Control (1998)
Karp, A.H., Haury, H., Davis, M.H.: From ABAC to ZBAC: the evolution of access control models. Tech. Report HPL-2009-30, HP Labs (2009)
Hu, V.C., Ferraiolo, D., Kuhn, R., et al.: Guide to Attribute based Access Control (ABAC) Definition and Considerations (Draft). NIST Spec. Publ. 800-162. http://csrc.nist.gov/publications/drafts/800-162/sp800_162_draft.pdf (2013)
Huang, J., Nicol, D.M., Bobba, R., Huh, J.H.: A framework integrating attribute-based policies into role-based access control. In: SACMAT ‘12, Newark, New Jersey, USA (2012)
Kuhn, D.R.: Vulnerability hierarchies in access control configurations. In: 4th Symposium on Configuration Analytics and Automation. IEEE (2011)
Kuhn, D.R., Coyne, E.J., Weil, T.R.: Adding attributes to role-based access control. IEEE Comput. 43(6), 79–81 (2010)
Li, J., et al.: Attribute-based signature and its applications. In: ASIACCS ’10, Beijing, China, 13–16 April (2010)
Longstaff, J.J., Lockyer, M.A., Nicholas, J.: The tees confidentiality model: an authorization model for identities and roles. In: Proceedings of Eighth ACM Symposium on Access Control Models and Technologies (2003)
Longstaff, J.J., Lockyer, M.A., Howitt, A.: Functionality and implementation issues for complex authorization models. IEE Proc. Softw. Special Issue (on Role Based Access Control) 153(1), 7−15 (2006) ISSN 1462-5970
Ros, S.P., Lischka, M., Marmol, F.G.: Graph-based XACML evaluation. In: SACMAT ’12, Newark, New Jersey, 20–22 June (2012)
Sandhu, R.: The authorization leap from rights to attributes: maturation or chaos? In: SACMAT ’12, Newark, New Jersey (2012)
Schneider, S.: The B-Method: An Introduction. Palgrave, Basingstoke (2001)
Stermbeck, M., Neuman, G.: An integrated approach to engineer and enforce context constraints in RBAC environments. ACM Trans. Inf. Syst. Secur. 7(3), 392–427 (2004)
UK NHS: Care Records Guarantee. http://www.nigb.nhs.uk/pubs/nhscrg.pdf (2011)
Yu, S., et al.: Attribute based data sharing with attribute revocation. In: ASIACCS’10, Beijing, China, 13–16 April (2010)
Acknowledgment
The author wishes to thank Tony Howitt, Professor Mike Lockyer, Professor Michael Thick and Steve Dunne for advice and contributions. The work was supported in part by grants and contracts from the England NHS National Programme for IT, particularly as part of the ERDIP and HRI Programmes (2000−2006).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Longstaff, J. (2013). Extending Attribute Based Access Control to Facilitate Trust in eHealth and Other Applications. In: Felici, M. (eds) Cyber Security and Privacy. CSP 2013. Communications in Computer and Information Science, vol 182. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41205-9_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-41205-9_11
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41204-2
Online ISBN: 978-3-642-41205-9
eBook Packages: Computer ScienceComputer Science (R0)