Policy engineering in RBAC and ABAC

Abstract

Role-based Access Control (RBAC) and Attribute-based access control (ABAC) are the most widely used access control models for mediating controlled access to resources in organizations. In RBAC, permissions are associated with roles, and users are assigned to appropriate roles. Therefore, it is imperative that a proper set of roles is necessary for the efficient deployment of RBAC. Most organizations possess a set of existing user-permission assignments which can be used to create appropriate roles. This process, known as role mining, is an important and challenging task in the deployment of RBAC in any organization. On the other hand, in ABAC, the access decisions depend on the attributes of the various entities and a set of authorization rules (policies). The efficiency of an ABAC model relies upon the strength and correctness of the authorization rules. Similar to role mining in RBAC, the process of constructing an appropriate set of ABAC authorization rules, known as policy engineering, is crucial for the implementation of ABAC. Regardless of the differences in RBAC and ABAC, the problems of role mining in RBAC and policy engineering in ABAC are quite similar and equally important for the corresponding access control models. In this chapter, we explore the role mining problem and the policy engineering problem along with their existing solution strategies and identify future directions of research in these two areas.