Reachability Analysis for Attributes in ABAC with Group Hierarchy
This research provides a complexity analysis and algorithms for determining user attribute reachability in ABAC systems with group hierarchies, which is important for security administrators to understand potential access rights.
This paper addresses the user attribute reachability problem in rGURAG schemes, a restricted form of the HGABAC model, which involves attributes directly assigned to users and those inherited through group memberships. The authors demonstrate PSPACE-complete complexity for general rGURAG schemes and provide polynomial-time algorithms for specific restricted instances.
Attribute-based access control (ABAC) models are widely used to provide fine-grained and adaptable authorization based on the attributes of users, resources, and other relevant entities. Hierarchial group and attribute based access control (HGABAC) model was recently proposed which introduces the novel notion of attribute inheritance through group membership. GURAG was subsequently proposed to provide an administrative model for user attributes in HGABAC, building upon the ARBAC97 and GURA administrative models. The GURA model uses administrative roles to manage user attributes. The reachability problem for the GURA model is to determine what attributes a particular user can acquire, given a predefined set of administrative rules. This problem has been previously analyzed in the literature. In this paper, we study the user attribute reachability problem based on directly assigned attributes of the user and attributes inherited via group memberships. We first define a restricted form of GURAG, called rGURAG scheme, as a state transition system with multiple instances having different preconditions and provide reachability analysis for each of these schemes. In general, we show PSPACE-complete complexity for all rGURAG schemes. We further present polynomial time algorithms to solve special instances of rGURAG schemes under restricted conditions.