06080420

a

06080420 Hinrichs, Timothy L. Garrison, William C.III Lee, Adam J. Saunders, Skip Mitchell, John C. TBA: a hybrid of logic and extensional access control systems. Barthe, Gilles (ed.) et al., Formal aspects of security and trust. 8th international workshop, FAST 2011, Leuven, Belgium, September 12--14, 2011. Revised selected papers. Berlin: Springer (ISBN 978-3-642-29419-8/pbk). Lecture Notes in Computer Science 7140, 198-213 (2012). 2012 Berlin: Springer EN

doi:10.1007/978-3-642-29420-4_13

Summary: Logical policy-based access control models are greatly expressive and thus provide the flexibility for administrators to represent a wide variety of authorization policies. Extensional access control models, on the other hand, utilize simple data structures to better enable a less trained and non-administrative workforce to participate in the day-to-day operations of the system. In this paper, we formally study a hybrid approach, tag-based authorization (TBA ), which combines the ease of use of extensional systems while still maintaining a meaningful degree of the expressiveness of logical systems. TBA employs an extensional data structure to represent metadata tags associated with subjects and objects, as well as a logical language for defining the access control policy in terms of those tags. We formally define TBA and introduce variants that include tag ontologies and delegation. We evaluate the resulting system by comparing to well-known extensional and logical access control models.