Towards A Generic Formal Framework for Access Control Systems
This work addresses limitations in access control systems for security and policy management, though it appears incremental as it builds on existing models like XACML.
The paper tackles the problem of restrictive access control models by developing a generic formal framework that imposes few restrictions, enabling the derivation of models with properties like monotonicity and completeness, specifically applied to create attribute-based access control models similar to XACML that are monotonic and complete.
There have been many proposals for access control models and authorization policy languages, which are used to inform the design of access control systems. Most, if not all, of these proposals impose restrictions on the implementation of access control systems, thereby limiting the type of authorization requests that can be processed or the structure of the authorization policies that can be specified. In this paper, we develop a formal characterization of the features of an access control model that imposes few restrictions of this nature. Our characterization is intended to be a generic framework for access control, from which we may derive access control models and reason about the properties of those models. In this paper, we consider the properties of monotonicity and completeness, the first being particularly important for attribute-based access control systems. XACML, an XML-based language and architecture for attribute-based access control, is neither monotonic nor complete. Using our framework, we define attribute-based access control models, in the style of XACML, that are, respectively, monotonic and complete.