Proactive identification and prevention of unexpected future rule conflicts in attribute based access control

Abstract

Attribute based access control (ABAC) provides an intuitive way for security administrators to express conditions (associated with status of objects) in access control policies; however, during the design and development of an ABAC system, new problems concerning the consistency and security of the ABAC system may emerge. In this paper, we report on two specific ABAC problems denoted as the "future rule conflicts" problem and the "object overlapping" problem, which we have recently identified in developing the ABAC system for a large research laboratory. We use real world examples to illustrate the negative impact of these two problems and present two novel algorithms for the identification and prevention of these problems. We give the correctness proof for both algorithm and apply these algorithms to the attribute based laboratory control (ABLC) system and the results are also reported. © 2010 Springer-Verlag Berlin Heidelberg.