Constraints Specification in Attribute Based Access Control

Recently, attribute based access control (ABAC )has received considerable attention from the secu-rity community for its policy flexibility and dynamicdecision making capabilities. In ABAC, authoriza-tion decisions are made based on various attributesof entities involved in the access (e.g., users, sub-jects, objects, context, etc.). In an ABAC system,a proper attribute assignment to different entitiesis necessary for ensuring appropriate access. shouldbe constrained much like user-role assignments areconstrained in Role-Based Access Control. Althoughconsiderable research has been conducted on ABAC,so far constraints specification on attribute assign-ment to entities has not been well-studied in theliterature. In this paper, we propose an attribute-based constraints specification language (ABCL) forexpressing a variety of constraints on values that dif-ferent attributes of various entities in the system cantake. ABCL can be used to specify constraints on asingle attribute or across multiple attributes of a par-ticular entity. Furthermore, constraints on attributesassignment across multiple entities (e.g., attributesof different users) can also be specified. We showthat ABCL can specify several well-known constraintpolicies including separation of duty and cardinalitypolicies. We demonstrate the usefulness of ABCL indifferent usage scenarios including banking and cloudcomputing domains. We also discuss enforcement ofABCL constraints and its performance.