Flexible attribute enriched role based access control model

,(((,QWHUQDWLRQDO&RQIHUHQFHRQ,QIRUPDWLRQ&RPPXQLFDWLRQ,QVWUXPHQWDWLRQDQG&RQWURO,&,&,&ದ
3DSHU,G
1
Flexible attribute enriched role based access
control model
Prajapati Barkha
Student,
Computer Engineering Department,
SardarVallabhbhaipatel Institute of Technology,
Vasad, India
prajapatibarkha2629@gmail.com
Gurucharansingh Sahani
Assistant Professor,
Computer Engineering Department,
SardarVallabhbhaipatel Institute of Technology,
Vasad, India
gurcharan_sahani@yahoo.com
Abstract:In access control role based access control and attribute
based access control are two most popular and widely used
models. Both have their limitation which is complimentary to
each other. Numbers of research are carried out that integrate
the RBAC and ABAC model. There is need to develop the model
that overcomes the limitation of both RBAC and ABAC.
Therefore this proposed work provides the integration of RBAC
and ABAC in such a way that it overcome the limitation of both
RBAC and ABAC Hence providing the better model than pure
RBAC and ABAC.
Keywords: RBAC, ABAC, RABAC, PFP
I. INTRODUCTION
RBAC is the standard and most important access control
model. Role Based Access Control model provides a great
way to fulfill the access control needs. An access control
policy is a statement which specifies the rules about who can
access the resources and how much access is given to each
user. Main idea behind the RBAC is that a role is an
intermediate module between users and permissions.[8]
Recently there has been rising concern about the limitations
of RBAC, RBAC has certain limitation which has been met
by researchers in two different Ways. First researchers have
meticulously and creatively extended RBAC in number of
directions. Also they integrate the RBAC with other access
control model. Second they tries to develop a more general
model, especially attribute-based access Control (ABAC),
ABAC have the benefits of DAC, MAC and RBAC and also
overcome the limitation of this model [9]. RBAC is used in
Situation where access is depends on role of the user in
organization but it does not suitable in the situation where the
contextual attribute are taken in to the consideration while
making the access decision. Another limitation of RBAC is
that if size of organization is large then in order to provide
the finer grained access we have to define so many roles
which leads to the role explosion problem. Attribute-Based
Access Control (ABAC) can be used as alternative to RBAC
to overcome the limitation of RBAC. ABAC is more flexible
than RBAC because it easily accommodates the contextual
attribute while forming the permission. However, ABAC also
has its own limitation such as it is complex than RBAC in
term of policy review or policy modification visualization is
difficult because there is no role so if we want to modify the
policy then it becomes so difficult to determine that which
group of user is affected by the modified policy. As discussed
above, both RBAC and ABAC have their advantages as well
as disadvantages. Both have features that are complimentary
so that integration of RBAC and ABAC is become an
important research topic. [10]
Remaining of this article is organized as follows in section II
related works is explained in III proposed work is explained
in IV implementation details are given and in last section
conclusion and future work is explained.
II. OVERVIEW OF EXISTING MODEL
In existing system each user is associated with generalize role
and each role has set of permission associated with it.
Permission consists of an object expression and an authorized
operation on the object set denoted by the expression. Object
expressions are formed using the attributes of objects.
Permission is associated with one or more conditions, which
must be evaluated to be true in order for the user to exercise
that permission. A condition associated with permission may
contain attributes of all entities including users, objects and
environment allowing the request context to be considered in
making access control decisions. Unlike traditional RBAC
Authorized licensed use limited to: Norges Teknisk-Naturvitenskapelige Universitet. Downloaded on October 29,2020 at 20:14:19 UTC from IEEE Xplore. Restrictions apply.
,(((,QWHUQDWLRQDO&RQIHUHQFHRQ,QIRUPDWLRQ&RPPXQLFDWLRQ,QVWUXPHQWDWLRQDQG&RQWURO,&,&,&ದ
3DSHU,G
2
approaches, permissions in this model consist of operations
and object expressions enabling content-based access control.
How the access is given in existing system is shown in figure
4.1. Once the user send the request session is start and user
role is activated then set of permission associated with that
role is checked. Permission contain object expression so once
the object expressions are shortlisted, they are evaluated oneby-one for each object. If an object expression and its
corresponding condition evaluate to true for an object, the
object is added into the list of authorized objects to be
granted to the user. Finally, user is granted access to all those
objects for which an object expression and its corresponding
condition return true.
Hence in this first user send a request its session is start and
role is activated then the permission set associated with that
role is checked and it filtered using the condition associated
with permission and finally the access to the final filtered out
permission is given to the user.
Figure 4.1: Existing system flow
The existing system is failed in situation where the activation
of role is depending upon the contextual condition. For
example in healthcare system nurse role is depend upon the
shift or time constraint. That means every user whose role is
nurse must be activated only during their respected time
duration. In existing system this time constrained is included
in condition that are associated with the permission but it is
time consuming because if nurse send request after or before
her time duration then also his role is activated and
permission and condition are checked and finally denied the
access so it simply increases the computation. And also if we
want to change the condition or timing constraint or other
environmental condition then we have to change it in all the
permission so it is very difficult to update.
The existing system also does not handle the context based
permission revocation means access to some object is depend
on some environmental condition then while accessing that
object if condition becomes false then permission for
accessing that object must be revoked. In existing system
they only check the environmental condition at the time of
providing access to it. So while accessing the object if
condition becomes false it does dot revoked and hence the
environmental constraint has no meaning.
III. PROPOSED MODEL
So in proposed system overcome the limitation of existing
system that is context based role activation and permission
revocation. In proposed system when the users send the
request its session is start but before activation of role
contextual condition is checked if it satisfied then only its
role is activated otherwise role is not activated. After the
activation of role set of permission associated with it checked
against the condition and finally provide the access only on
those permission which are filtered out by the condition.
Then while accessing that condition if context condition
becomes fails to hold then that permission is revoked from
the final available permission. The whole flow of proposed
system is shown in below figure 4.2.
Figure
4.2: proposed system flow
Proposed system has so many advantages and also overcome
the limitation of RBAC and ABAC.
First, In order to overcome the role explosion problem of
RBAC we use generalized role. If we want to achieve fine
grained access in RBAC then we have to define large number
of roles. If want to apply the policy like Doctor can read or
Authorized licensed use limited to: Norges Teknisk-Naturvitenskapelige Universitet. Downloaded on October 29,2020 at 20:14:19 UTC from IEEE Xplore. Restrictions apply.
,(((,QWHUQDWLRQDO&RQIHUHQFHRQ,QIRUPDWLRQ&RPPXQLFDWLRQ,QVWUXPHQWDWLRQDQG&RQWURO,&,&,&ದ
3DSHU,G
3
write the patient info which belongs to his /her department.
Then in core RBAC we have to define the role to permission
assignment as shown in below table.
Table 4.2 Role explosion problem in core RBAC
As we see there is role explosion problemso in proposed
model we are taking the generalized role and in order to
provide fine grained access we use the attribute in the
permission. We use the XACML policy framework in order
to define policy which itself is fine grained. Henceusing
generalized role we overcome role explosion problem and
also achieve the fine grained access.
Second, we also use contextual condition in creating the
policy. XACML easily take the environmental condition in
decision making. Hence our system is context aware.
Third, since we preserve the RBAC model in which user to
role assignment is static so system is easy to audit because
permission is associated with role and role is static so it is
easy to audit.
Fourth, policy modification visualization is easy because in
our model each role is associated with set of permission or
policy so if we change some policy then we can easily
visualize that which role is affected by that changed policy
and hence which user.
Fifth, context based role activation is handle by our system
because we activate the role only if the context to activate the
role is satisfied that’s make our system computationally fast
and also easy to update.
Sixth, context based permission revocation is also done by
our system. We continuously check the constraint while
accessing some resources and if certain condition fails we
automatically revoke the permission from the user permission
set.
Finally our access control model overcome the limitation of
both RBAC and ABAC and has following feature.
1. No role explosion problem
2. Fine grained access
3. Context aware model
4. Easy auditing
5. Easy policy modification visualization
6. Context based role activation
7. Context based permission revocation
IV. IMPLIMENTATION DETAILS
As we discussed earlier that our proposed model provide the
advantages like fine grained, context aware, easy auditing
etc. in order to prove this we generate the XACML policy
using generalized role and test it to check whether our model
provide the above advantages or not. Here are some snapshot
of policy and its testing.
We generate the policy for doctor to show that by providing
the generalized role we achieve fine grained access or not.
The policy of Doctor says that “Doctor can read/write
appointment of only those patients which is belongs to
his/her department.”
Figure 4.1 Doctor Policy
Test case1:-
Table: 4.1 test case for doctor
Figure 5.2 and 5.3 shows the XACML request and response
of doctor that permit the doctor to add the patient which
belongs to his/her department.
Request1:-
Role Heart
Patient
info
Brain
Patient
info
Lungs
Patient
info
Doctor_Heart R/W R R
Doctor_Brain R R/W R
Doctor_Lungs R R R/W
Authorized licensed use limited to: Norges Teknisk-Naturvitenskapelige Universitet. Downloaded on October 29,2020 at 20:14:19 UTC from IEEE Xplore. Restrictions apply.
,(((,QWHUQDWLRQDO&RQIHUHQFHRQ,QIRUPDWLRQ&RPPXQLFDWLRQ,QVWUXPHQWDWLRQDQG&RQWURO,&,&,&ದ
3DSHU,G
4
Figure 4.2 XACML request of doctor to permit
Response1:-
Figure 4.3 XACML response of Doctor to permit
Figure 4.4 and 4.5 shows the XACML request and response
of doctor that Deny the doctor to add the patient which
belongs other Department.
Request2:-
Figure 4.4 XACML request of doctor to Deny
Response2:-
Figure 4.5 XACML response of doctor to Deny
As shown in above to test that by providing generalized role
we achieve fine grained access. We generate the policy for
Receptionist to show that our proposed model also
accommodate environmental attribute such as time, location
etc. policy for Receptionist show that “Receptionist can write
the appointment only in time=“9 to 5”.”
Figure: 4.6 Receptionist policy
Test Case2:-
Table: 4.2 test case for Receptionist
Request1:-
Figure
4.7 XACML request of Receptionist to permit
Response1:-
Figure 4.8 XACML response of Receptionist to permit
Request2:-
Authorized licensed use limited to: Norges Teknisk-Naturvitenskapelige Universitet. Downloaded on October 29,2020 at 20:14:19 UTC from IEEE Xplore. Restrictions apply.
,(((,QWHUQDWLRQDO&RQIHUHQFHRQ,QIRUPDWLRQ&RPPXQLFDWLRQ,QVWUXPHQWDWLRQDQG&RQWURO,&,&,&ದ
3DSHU,G
5
Figure 4.9 XACML request of Receptionist to Deny
Response2:-
Figure
4.10 XACML response of Receptionist to Deny
As shown in above request response that our proposed model
also accommodates the environmental attribute. Hence our
system is context aware.
Third policy indicates the activation of role depends on
context and it is shown in below figure. In which nurse role is
activated only in its working duration.
Figure: 4.11 Role activation policy
Test Case3:-
Table: 4.3 Test cases for Role activation policy
Request1:-
Figure 4.12 XACML request for activation of role
Response1:-
Figure 4.13 XACML response for activation of role
Request2:-
Figure 4.14 XACML request2 for activation of role
Response2:-
Figure
4.15 XACML response2 for activation of role
As shown in role activation policy role is activated according
to the context hence the computation of checking the policy
and time of updating policy is saved.
V. FUTURE WORK
Authorized licensed use limited to: Norges Teknisk-Naturvitenskapelige Universitet. Downloaded on October 29,2020 at 20:14:19 UTC from IEEE Xplore. Restrictions apply.
,(((,QWHUQDWLRQDO&RQIHUHQFHRQ,QIRUPDWLRQ&RPPXQLFDWLRQ,QVWUXPHQWDWLRQDQG&RQWURO,&,&,&ದ
3DSHU,G
6
In order to find out the computational time and we check the
below computation parameters.
1. Response time of Authorization:- It is time between the
authorization request send and the reply receive.
2. Size of log:-it is size of log file.
3. Processing time/no. of rules: – How the processing time is
affected by increasing the number of rules.
VI. CONCLUSION
Attribute-based access control (ABAC) and role-based access
control (RBAC) are now a days the two most popular and
widely used access control models. Yet, they both have
known limitations and other features complimentary to each
other. Number extension is carried out for both RBAC and
ABAC but no one overcome the limitation of each other.
Hence we develop a model which overcomes the limitation
of each other.
VII. REFERENCES
[1] Hui Qi, Hongxin Mat, Jinqing Li and XiaoqiangDi ”Access Control
Model Based on Role and Attribute and Its Applications on Space-Ground
IntegrationNetworks” IEEE 2015.
[2] Lawrence Kerr, Jim Alves-Foss “Combining Mandatory and Attributebased Access Control”IEEE 2016
[3] Li Ma, Yanjie Zhou, and Wei Duan “Extended RBAC Model with TaskConstraint Rules” Springer-Verlag Berlin Heidelberg 2014
[4] WenrongZeng, Yuhao Yang, and Bo Luo” Content-Based Access
Control: Use Data Content to Assist Access Control for Large-Scale
Content-Centric Databases” IEEE International Conference on Big Data
2014
[5] Xin Jin, Ravi Sandhu, and Ram Krishnan” RABAC: Role-Centric
Attribute-Based Access Control’’ Springer-Verlag Berlin Heidelberg 2012
[6] Jingwei Huang, David M. Nicol, RakeshBobba and Jun Ho Huh’’A
Framework Integrating Attribute-based Policies into Role-Based Access
Control’’SACMAT’12, June 20–22, 2012
[7]QasimMahmoodRajpoot, Christian Damsgaard Jensen and Ram
Krishnan’’Attributes Enhanced Role-Based Access Control
Model’’Proceedings of the 12th International Conference on Trust, Privacy
and Security in Digital Business (TrustBus’15). (pp. 3-17). Springer.
[8]DipmalaSalunke, AnilkumarUpadhyay, AmolSarwade, VaibhavMarde,
SachinKandekar ”A survey paper on Role Based Access Control”
International Journal of Advanced Research in Computer and
Communication Engineering Vol. 2, Issue 3, March 2013
[9] Xin Jin, Ram Krishnan and Ravi Sandhu”A Unied Attribute-Based
Access ControlModel Covering DAC, MAC and RBAC”
[10] QasimMahmoodRajpoot, Christian Damsgaard Jensen and Ram
Krishnan”Integrating Attributes into Role-Based Access Control”
Authorized licensed use limited to: Norges Teknisk-Naturvitenskapelige Universitet. Downloaded on October 29,2020 at 20:14:19 UTC from IEEE Xplore. Restrictions apply.

 

Don't use plagiarized sources. Get Your Custom Essay on
Flexible attribute enriched role based access control model
Just from $10/Page
Order Essay

Get professional assignment help cheaply

Are you busy and do not have time to handle your assignment? Are you scared that your paper will not make the grade? Do you have responsibilities that may hinder you from turning in your assignment on time? Are you tired and can barely handle your assignment? Are your grades inconsistent?

Whichever your reason may is, it is valid! You can get professional academic help from our service at affordable rates. We have a team of professional academic writers who can handle all your assignments.

Our essay writers are graduates with diplomas, bachelor, masters, Ph.D., and doctorate degrees in various subjects. The minimum requirement to be an essay writer with our essay writing service is to have a college diploma. When assigning your order, we match the paper subject with the area of specialization of the writer.

Why choose our academic writing service?

  • Plagiarism free papers
  • Timely delivery
  • Any deadline
  • Skilled, Experienced Native English Writers
  • Subject-relevant academic writer
  • Adherence to paper instructions
  • Ability to tackle bulk assignments
  • Reasonable prices
  • 24/7 Customer Support
  • Get superb grades consistently

 

 

 

 

 

 

Order a unique copy of this paper
(550 words)

Approximate price: $22

Basic features
  • Free title page and bibliography
  • Unlimited revisions
  • Plagiarism-free guarantee
  • Money-back guarantee
  • 24/7 support
On-demand options
  • Writer’s samples
  • Part-by-part delivery
  • Overnight delivery
  • Copies of used sources
  • Expert Proofreading
Paper format
  • 275 words per page
  • 12 pt Arial/Times New Roman
  • Double line spacing
  • Any citation style (APA, MLA, Chicago/Turabian, Harvard)

Our guarantees

We value our customers and so we ensure that what we do is 100% original..
With us you are guaranteed of quality work done by our qualified experts.Your information and everything that you do with us is kept completely confidential.

Money-back guarantee

You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.

Read more

Zero-plagiarism guarantee

The Product ordered is guaranteed to be original. Orders are checked by the most advanced anti-plagiarism software in the market to assure that the Product is 100% original. The Company has a zero tolerance policy for plagiarism.

Read more

Free-revision policy

The Free Revision policy is a courtesy service that the Company provides to help ensure Customer’s total satisfaction with the completed Order. To receive free revision the Company requires that the Customer provide the request within fourteen (14) days from the first completion date and within a period of thirty (30) days for dissertations.

Read more

Privacy policy

The Company is committed to protect the privacy of the Customer and it will never resell or share any of Customer’s personal information, including credit card data, with any third party. All the online transactions are processed through the secure and reliable online payment systems.

Read more

Fair-cooperation guarantee

By placing an order with us, you agree to the service we provide. We will endear to do all that it takes to deliver a comprehensive paper as per your requirements. We also count on your cooperation to ensure that we deliver on this mandate.

Read more

Calculate the price of your order

550 words
We'll send you the first draft for approval by September 11, 2018 at 10:52 AM
Total price:
$26
The price is based on these factors:
Academic level
Number of pages
Urgency
Open chat
1
You can contact our live agent via WhatsApp! Via +1 817 953 0426

Feel free to ask questions, clarifications, or discounts available when placing an order.

Order your essay today and save 20% with the discount code VICTORY