Repository logo
 

Towards efficient implementation of attribute-based access control

Date

2021

Authors

Pagadala, Vignesh M., author
Ray, Indrakshi, advisor
Ray, Indrajit, committee member
Anderson, Charles, committee member
Vijayasarathy, Leo, committee member

Journal Title

Journal ISSN

Volume Title

Abstract

Attribute-Based Access Control (ABAC) is a methodology which allows or prohibits a subject (user or process) from performing actions on an object (resource), based upon the attributes of the subject and the object. The inherent versatility of ABAC, as opposed to other access control methods such as Role-Based Access Control (RBAC), has ensured the availability of a wide range of use-cases for applying the same, including but not limited to, healthcare, finance, government and military. Of late, more and more organizations are settling for ABAC as their choice of access control scheme. In order to implement ABAC, standards such as the eXtensible Access Control Markup Language (XACML) and Next-Generation Access Control (NGAC) are typically employed. Though these standards allow organizations to implement an access control scheme which is fine-grained, easily manageable and devoid of problems such as role explosions, certain bottlenecks still exist in terms of the time taken to evaluate access requests, and pre-computations being performed to prepare the mechanism for answering queries. These issues become apparent only when the number of entities involved in the organization (subjects and objects) begin to scale. Previous works based on NGAC have been proposed, which manage to ensure efficient evaluation of access requests. However, the procedures outline the need to perform pre-computations, whose time complexity scales rapidly with respect to growing number of entities and policies. We argue that this implementation can be done better, by dexterous use of specific data-structures. Our ABAC implementation (using NGAC) not only answers queries in O(1), but also quickens the pre-computation process to practicable levels, thereby making this more suitable for implementation. We also propose secondary contributions - a mechanism to respond to access requests while a policy update is underway, and procedures to enforce policies from a subset of several policy classes.

Description

Rights Access

Subject

attribute-based access control
Neo4j
NIST policy machine
graph database
ABAC
next-generation access control

Citation

Associated Publications