Path Conditions and Principal Matching: A New Approach to Access Control
This work addresses access control issues in general computing systems by shifting from user-centric to relationship-based authorization, offering a novel approach for improved security and flexibility.
The paper tackles the problem of user-centric authorization policies by proposing a relationship-based access control model using path conditions, and develops a formal method and algorithm for policy evaluation with established complexity.
Traditional authorization policies are user-centric, in the sense that authorization is defined, ultimately, in terms of user identities. We believe that this user-centric approach is inappropriate for many applications, and that what should determine authorization is the relationships that exist between entities in the system. While recent research has considered the possibility of specifying authorization policies based on the relationships that exist between peers in social networks, we are not aware of the application of these ideas to general computing systems. We develop a formal access control model that makes use of ideas from relationship-based access control and a two-stage method for evaluating policies. Our policies are defined using path conditions, which are similar to regular expressions. We define semantics for path conditions, which we use to develop a rigorous method for evaluating policies. We describe the algorithm required to evaluate policies and establish its complexity. Finally, we illustrate the advantages of our model using an example and describe a preliminary implementation of our algorithm.