Enabling Flexible Administration in ABAC Through Policy Review: A Policy Machine Case Study

摘要

The Next Generation Access Control (NGAC), founded on the Policy Machine (PM), is a robust Attribute-Based Access Control (ABAC) framework that enables a structured and flexible approach for the establishment of the conventional access control models. The authorization state of the policy machine is represented as an annotated Directed Acyclic Graph (DAG). Structurally, relations among attributes of the same type are hierarchical, and creating new relation(s) to specify an authorization may be achieved through different approaches. However, one or more limitations can make most of the obvious approaches to grant new access inconsistent with existing rules. We proposed an algorithm that provides the PM administrator a comprehensive list of all possible approaches to authorize access. The approaches generated by our algorithm can help the PM administrator makes an informed decision before authorizing access.