Attribute Based Access Control

A
Seminar
on
Attribute Based Access Control
( ABAC )
Chandramohansharma.cms@gmail.com
Guided By Presented By
Dr. Shamik Sural Chandra Mohan Sharma
Professor IIT Kharagpur 15CS60D04, M. Tech. Ist Year
IIT KharagpurMarch 18, 2016

Outline
1. Motivation
2. Security Related Key Terms
3. Access Control Mechanism
4. Traditional Access Control Models
5. Attribute Based Access Control ( ABAC )
6. Conclusion

Motivation
Chandramohansharma.cms@gmail.com IIT Kharagpur
Security – Why???
March 18, 2016
Resource
Protection
Threat
Information Sharing

Motivation
Chandramohansharma.cms@gmail.com IIT KharagpurMarch 18, 2016
Possibly most secure but unusable system

Security Components
Security
IntegrityConfidentiality
Availability

Security – Key Terms
1. Authentication: “ Who are you? ”
3 Factors
Who you are - username, userid etc.
What you have - password, access card, finger print etc
What you are - digital identity
2. Authorization: “ What can you access ”
3. Accounting: “ What you have accessed ”
4. Policy: Statement of what is allowed what is not allowed
5. Mechanism: Operation that implement and enforce a policy

Access Control Mechanism
NIST defines Access Control Mechanism as a logical component that
serves to receive the access request for an Object from a Subject and
decide & enforce the access decision.
Subject: user, NPE Object: file, data, resourceAccess Control
Mechanism

Traditional Access Control Models - DAC
Discretionary Access Control (DAC): Owner responsibility to define
rights of each subject on the object. The main properties of DAC are
– Decentralised – discretion of each individual owner
– Identity based
– Permission rule are attached to object
HRU Model is an example of DAC
Access Control Matrix
Access Control Matrix:

The Simple conceptual
model that specifies the
rigths that each subject
possesses for each
object.

The protection state of
the system is defined by
the triplet (A, S, O)

Traditional Access Control Models - MAC
Mandatory Access Control (MAC): Access decision are taken and
enforced by the security system. The main characterstics of MAC are
– Centralised
– Most restrictive model – military style of model
– Used in highly sensitive application areas
Bell–LaPadula, BIBA & Chinese-Wall model are example of MAC
Bell–LaPadula Model

Subjects have
security clearance

Objects have security
classification

Only subjects of same
or above security
clearance can access
objects of a security
class

Traditional Access Control Models - RBAC
Role Based Access Control (RBAC): Subjects are assigned Roles
which have predefined associated permissions to perform certain
operation on the objects. The main features of RBAC are
– Centralized & Decentralized at once
– Permissions are enforced through Access Control List (ACL)
attached to objects
– Suit the industry style applications
Role1
Role2
Role1
Role2
Asset
User

Traditional A C Models – RBAC Example

Traditional A C Models – Pros & Cons

Scalable

Flexible – user & permission
are loosely coupled

Less administration required

Roles needs provisioning and
maintenance

Possibility of role explosion

Unable to accommodate real-
time context
Pros

Easy to implement

Highly flexible
Cons

Doesn't scale well

ACL explosion possibility

Prone to mistakes
DAC
MAC
RBAC

Most secure

Easy to scale

Not flexible

Limited user Functionality

High admin overhead

Attribute Based Access Control – ABAC
NIST defines ABAC as "An access control method where subject requests
to perform operations on objects are granted or denied based on assigned
attributes of the subject, assigned attributes of the object, environment
conditions, and a set of policies that are specified in terms of those
attributes and conditions"
Access
Control
Policy
Subject
Attributes
Object
Attributes
ObjectSubject
Environment
Conditions
Decision
Enforce
ABAC
Mechanism
Rule

ABAC Example
Online Movie Viewing Application
– Basic Policy: Access to a movie will be granted based on age of user &
rating of movie.
– For Ex. i.e. childern will be allowed to watch movie with G rating
R1: canaccess(u, m, e) ←
( Age(u)≥21 ∧ Rating(m )∈{R,PG13,G }) ∨
(21≥Age(u)≥13 ∧ Rating(m )∈{PG13 ,G)} ∨
( Age( u)<13 ∧ Rating(m)∈{G})
R2: canaccess(u, m, e) ←
( MemberType(u)=' Pr emium') ∨
( MemberType(u)=' Regular' ∧
MovieType(m )∉{'New Release'})
R3: canaccess(u, m, e) ← R1 ∧ R2
Advance Policy: Premium customer can view new releases.
For this, new rule R2 can be formed and can be aggregated with R1 to force both
policies

ABAC Advantage
Problems with traditional access control models:

Static – access control permissions are predetermined

No context – environmental conditions are not considered

Too coarse – classification is done at high abstraction level
ABAC advantage:

Dynamic – access control permissions are evaluated at the time
of actual request is made

Contextual – environmental conditions may be considered

Fine grained – attribute based, so detailed rules can be formed
Example: Using ABAC, we can form rules like:

User can access Server from office

User can access Server from office during working hours

User can access Server from home during non working hours
using laptop only

ABAC – Access Control Mechanism
In ABAC, PEP, PDP, PAP & PAP may be on same machine or may be
physically separated. Such distributed framework give rise to ABAC
Enterprise.
Access Control Mechanism for ABAC

ABAC Pros & Cons
Pros

Dynamic & fine grained
access control

Scalable

Consider environmental
conditions

Can be mapped to MAC &
RBAC model

Can easily adapt to Risk
( RAdAC )

Easy administration
Cons

Attribute needs provisioning
and maintenance

Possibility of attribute
explosion

Complex to analyze

Conclusion

Information & System sharing and need for protection of
resources necessiate to have security mechanism in place.

Confidentiality, Integrity & Availability are the main components of
information security.

Access Control Mechanism decide & enforce the outcome of
access request. Thus provide a restricted access of resource to
user.

DAC, MAC, RBAC & ABAC are various access control models.

RBAC is the widely used & popular access control model till now.

ABAC is a fine grained, flexible & scalable access control model
which is gaining momentum now for adoption.

References
1. Michael Hogan, Fang Liu, Annie Sokol, Jin Tong NIST Cloud Computing
Standards Roadmap Working Group, NIST Cloud Computing Standards
Roadmap - Version 1.0,Special Publication 500-291 ( National Inst.
Standards and Technology, 2011), pp. 1-46
2. Xin Jin, Ram Krishnan, Ravi Sandhu, A Unified Attribute-Based Access
Control Model Covering DAC, MAC and RBAC (N. Cuppens-Boulahia et al.
(Eds.): DBSec 2012, LNCS 7371, 2012), pp. 41-55
3. E. Yuan, J. Tong, Attributed based access control (ABAC) for web services
(International ICWS, 2005), pp. 561-569
4. D.R. Kuhn, E.J. Coyne, T.R. Weil, Adding Attributes to Role Based Access
Control (IEEE Computer, June, 2010), pp. 79-81
5. E. Damiani, Di Vimercati, S.D.C., P. Samarati, New paradigms for access
control in open environments (Int. Sym. on Sig. Proc. and Information
Technology 2005, Security, 2004), pp. 693-703
6. J. Park, R. Sandhu, The UCONabc usage control model (ACM Transactions
on Information System), pp. 224-274

March 18, 2016Chandramohansharma.cms@gmail.com
Questions ???
Thank You...
IIT Kharagpur

Attribute Based Access Control

More Related Content

What's hot

Viewers also liked

Similar to Attribute Based Access Control

Recently uploaded

Attribute Based Access Control