A flexible authorization mechanism for relational data management systems
ACM Transactions on Information Systems (TOIS)
A modular approach to composing access control policies
Proceedings of the 7th ACM conference on Computer and communications security
Policy algebras for access control the predicate case
Proceedings of the 9th ACM conference on Computer and communications security
A logical framework for reasoning about access control models
ACM Transactions on Information and System Security (TISSEC)
Merging Security Policies: Analysis of a Practical Example
CSFW '98 Proceedings of the 11th IEEE workshop on Computer Security Foundations
A Logical Framework for Reasoning on Data Access Control Policies
CSFW '99 Proceedings of the 12th IEEE workshop on Computer Security Foundations
Design of a Role-Based Trust-Management Framework
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Analyzing consistency of security policies
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Understanding and developing role-based administrative models
Proceedings of the 12th ACM conference on Computer and communications security
Supporting selective information sharing with people-tagging
CHI '08 Extended Abstracts on Human Factors in Computing Systems
A theory for comparing the expressive power of access control models
Journal of Computer Security
Access-Control Policies via Belnap Logic: Effective and Efficient Composition and Analysis
CSF '08 Proceedings of the 2008 21st IEEE Computer Security Foundations Symposium
Usable access control in collaborative environments: authorization based on people-tagging
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
SecPAL: Design and semantics of a decentralized authorization language
Journal of Computer Security - Digital Identity Management (DIM 2007)
Decentralized trust management
SP'96 Proceedings of the 1996 IEEE conference on Security and privacy
The need for application-aware access control evaluation
Proceedings of the 2012 workshop on New security paradigms
Policy administration in tag-based authorization
FPS'12 Proceedings of the 5th international conference on Foundations and Practice of Security
Hi-index | 0.00 |
Logical policy-based access control models are greatly expressive and thus provide the flexibility for administrators to represent a wide variety of authorization policies. Extensional access control models, on the other hand, utilize simple data structures to better enable a less trained and non-administrative workforce to participate in the day-to-day operations of the system. In this paper, we formally study a hybrid approach, tag-based authorization (TBA ), which combines the ease of use of extensional systems while still maintaining a meaningful degree of the expressiveness of logical systems. TBA employs an extensional data structure to represent metadata tags associated with subjects and objects, as well as a logical language for defining the access control policy in terms of those tags. We formally define TBA and introduce variants that include tag ontologies and delegation. We evaluate the resulting system by comparing to well-known extensional and logical access control models.