Policy administration in tag-based authorization

E. Bertino; G. Greco; J. Crampton; J. Crampton; J.G. Cederquist; M. Abadi; M. Ben-Ghorbel-Talbi; M. Ben-Ghorbel-Talbi; M.A. Harrison; M.Y. Becker; N. Li; N. Zhang; P.P. Griffiths; Q. Wang; R. Sandhu; S. Heeps; S. Osborn; T.L. Hinrichs

Policy administration in tag-based authorization

Authors: E. Bertino
G. Greco
J. Crampton
J. Crampton
J.G. Cederquist
M. Abadi
M. Ben-Ghorbel-Talbi
M. Ben-Ghorbel-Talbi
M.A. Harrison
M.Y. Becker
N. Li
N. Zhang
P.P. Griffiths
Q. Wang
R. Sandhu
S. Heeps
S. Osborn
T.L. Hinrichs
Publication date: 1 October 2012
Publisher: 'Springer Science and Business Media LLC'
Doi

Abstract

Tag-Based Authorization (TBA) is a hybrid access control model that combines the ease of use of extensional access control models with the expressivity of logic-based formalisms. The main limitation of TBA is that it lacks support for policy administration. More precisely, it does not allow policy-writers to specify administrative policies that constrain the tags that users can assign, and to verify the compliance of assigned tags with these policies. In this paper we introduce TBA2 (Tag-Based Authorization & Administration), an extension of TBA that enables policy administration in distributed systems. We show that TBA2 is more expressive than TBA and than two reference administrative models proposed in the literature, namely HRU and ARBAC97. © 2013 Springer-Verlag