Abstract
Due to the rapid development of large scale and big data systems, attribute-based access control (ABAC) model has inaugurated a new wave in the research field of access control. In this paper, we propose a novel and comprehensive mechanism for enforcing attribute-based security policies stored in JSON documents. We build a lightweight grammar for conditional expressions that are the combination of subject, resource, and environment attributes so that the policies are flexible, dynamic and fine grained. Besides, we also present an extension from the ABAC model for privacy protection with the approach of purpose usage. The notion of purpose is associated with levels of data disclosure and constraints to support more fine-grained privacy policies. A prototype built for the proposed model using Java and MongoDB has also presented in the paper. The experiment is carried out to illustrate the relationship between the processing time for access decision and the complexity of policies.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bertino, E., Ghinita, G., Kamra, A.: Access Control for Databases: Concepts and Systems. Now Publishers, Hanover (2011)
Hu, V.C., Ferraiolo, D., Kuhn, R., Friedman, A.R., Lang, A.J., Cogdell, M.M., Schnitzer, A., Sandlin, K., Miller, R., Scarfone, K.: Guide to Attribute Based Access Control (ABAC) definition and considerations (draft). NIST Special Publication, 800, 162 (2013)
Hu, V.C., Kuhn, D.R., Ferraiolo, D.F.: Attribute-based access control. Computer 2, 85–88 (2015)
Jin, X., Krishnan, R., Sandhu, R.: A Unified attribute-based access control model covering DAC, MAC and RBAC. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 41–55. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31540-4_4
Sandhu, R.: The Future of access control: attributes, automation, and adaptation. In: Krishnan, G.S.S., Anitha, R., Lekshmi, R.S., Kumar, M.S., Bonato, A., Graña, M. (eds.) Computational Intelligence, Cyber Security and Computational Models. AISC, vol. 246, p. 45. Springer, New Delhi (2014). https://doi.org/10.1007/978-81-322-1680-3_5
Westin, A.F.: Privacy and Freedom. Atheneum, New York (1967)
Byun, J.-W., Bertino, E., Li, N.: Purpose based access control of complex data for privacy protection. In: Proceedings of the Tenth ACM Symposium on Access Control Models and Technologies (2005)
Byun, J.W., Li, N.: Purpose based access control for privacy protection in relational database systems. VLDB J. 17(4), 603–619 (2008)
Kabir, M.E., Wang, H.: Conditional purpose based access control model for privacy protection. In: Proceedings of the Twentieth Australasian Conference on Australasian Database, vol. 92, pp. 135–142. Australian Computer Society, Inc. (2009)
Wang, H., Sun, L., Bertino, E.: Building access control policy model for privacy preserving and testing policy conflicting problems. J. Comput. Syst. Sci. 80(8), 1493–1503 (2014)
Kabir, M.E., Wang, H., Bertino, E.: A role-involved conditional purpose-based access control model. In: Janssen, M., Lamersdorf, W., Pries-Heje, J., Rosemann, M. (eds.) EGES/GISP 2010. IFIP AICT, vol. 334, pp. 167–180. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15346-4_13
Kabir, M.E., Wang, H., Bertino, E.: A conditional purpose-based access control model with dynamic roles. Expert Syst. Appl. 38(3), 1482–1489 (2011)
Ni, Q., Lin, D., Bertino, E., Lobo, J.: Conditional privacy-aware role based access control. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 72–89. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74835-9_6
Ni, Q., Bertino, E., Lobo, J., Brodie, C., Karat, C.M., Karat, J., Trombeta, A.: Privacy-aware role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 13(3), 24 (2010)
Colombo, P., Ferrari, E.: Enforcement of purpose based access control within relational database management systems. IEEE Trans. Knowl. Data Eng. 26(11), 2703–2716 (2014)
Colombo, P., Ferrari, E.: Enhancing MongoDB with purpose based access control. IEEE Trans. Depend. Secur. Comput. (2015, will appear)
Colombo, P., Ferrari, E.: Efficient enforcement of action-aware purpose-based access control within relational database management systems. IEEE Trans. Knowl. Data Eng. 27(8), 2134–2147 (2015)
Pervaiz, Z., Aref, W.G., Ghafoor, A., Prabhu, N.: Accuracy-constrained privacy-preserving access control mechanism for relational data. IEEE Trans. Knowl. Data Eng. 26(4), 795–807 (2014)
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 4(3), 224–274 (2001)
Fuchs, L., Pernul, G., Sandhu, R.: Roles in information security–a survey and classification of the research area. Comput. Secur. 30(8), 748–769 (2011)
Kuhn, D.R., Coyne, E.J., Weil, T.R.: Adding attributes to role-based access control. IEEE Comput. 43(6), 79–81 (2010)
Huang, J., Nicol, D.M., Bobba, R., Huh, J.H.: A framework integrating attribute-based policies into role-based access control. In: Proceedings of the 17th ACM symposium on Access Control Models and Technologies, pp. 187–196. ACM (2012)
Rajpoot, Q.M., Jensen, C.D., Krishnan, R.: Attributes enhanced role-based access control model. In: Fischer-Hübner, S., Lambrinoudakis, C., Lopez, J. (eds.) TrustBus 2015. LNCS, vol. 9264, pp. 3–17. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22906-5_1
Sweeney, L.: Achieving k-anonymity privacy protection using generalization and suppression. Int. J. Uncertain. Fuzziness Knowl. Based Syst. 10(05), 571–588 (2002)
Ni, Q., Bertino, E., Lobo, J.: An obligation model bridging access control policies and privacy policies. In: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, pp. 133–142 (2008)
Rissanen, E.: eXtensible Access Control Markup Language (XACML) version 3.0 (committe specification 01). Technical report, OASIS (2010). http://docs.oasisopen.org/xacml/3.0/xacml-3.0-core-spec-cd-03-en.Pdf
Nurseitov, N., et al.: Comparison of JSON and XML data interchange formats: a case study. In: Caine 2009 (2009)
Servos, D., Osborn, S.L.: Current research and open problems in attribute-based access control. ACM Comput. Surv. (CSUR) 49(4) (2017)
Ferraiolo, D., et al.: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). In: Proceedings of the 2016 ACM International Workshop on Attribute Based Access Control (2016)
Thi, Q.N.T., Si, T.T., Dang, T.K.: Fine grained attribute based access control model for privacy protection. In: Dang, T.K., Wagner, R., Küng, J., Thoai, N., Takizawa, M., Neuhold, E. (eds.) FDSE 2016. LNCS, vol. 10018, pp. 305–316. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-48057-2_21
Acknowledgements
This research is funded by Vietnam National University Ho Chi Minh City (VNU-HCM) under grant number C2017-20-11.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer-Verlag GmbH Germany
About this chapter
Cite this chapter
Thi, Q.N.T., Dang, T.K. (2017). Towards a Fine-Grained Privacy-Enabled Attribute-Based Access Control Mechanism. In: Hameurlain, A., Küng, J., Wagner, R., Dang, T., Thoai, N. (eds) Transactions on Large-Scale Data- and Knowledge-Centered Systems XXXVI. Lecture Notes in Computer Science(), vol 10720. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-56266-6_3
Download citation
DOI: https://doi.org/10.1007/978-3-662-56266-6_3
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-56265-9
Online ISBN: 978-3-662-56266-6
eBook Packages: Computer ScienceComputer Science (R0)