Relationship-Based Access Control: Protection Model and Policy Language
Date
2010-09-22T17:42:25Z
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Social Network Systems pioneer a paradigm of access control
that is distinct from traditional approaches to access
control. Gates coined the term Relationship-Based Access
Control (ReBAC) to refer to this paradigm. ReBAC is characterized
by the explicit tracking of interpersonal relationships
between users, and the expression of access control
policies in terms of these relationships. This work explores
what it takes to widen the applicability of ReBAC to application
domains other than social computing. To this end,
we formulate an archetypical ReBAC model to capture the
essence of the paradigm, that is, authorization decisions are
based on the relationship between the resource owner and
the resource accessor in a social network maintained by the
protection system. A novelty of the model is that it captures
the contextual nature of relationships. We devise a policy
language, based on modal logic, for composing access control
policies that support delegation of trust. We use a case
study in the domain of Electronic Health Records to demonstrate
the utility of our model and its policy language. This
work provides initial evidence to the feasibility and utility
of ReBAC as a general-purpose paradigm of access control.
Description
Keywords
Security, Design, Language, Theory