MT-ABAC: A multi-tenant attribute-based access control model with tenant trust

Abstract

A major barrier to the adoption of cloud Infrastructure-as-a-Service (IaaS) is collaboration, where multiple tenants engage in collaborative tasks requiring resources to be shared across tenant boundaries. Currently, cloud IaaS providers focus on multi-tenant isolation, and offer limited or no cross-tenant access capabilities in their IaaS APIs. In this paper, we present a novel attribute-based access control (ABAC) model to enable collaboration between tenants in a cloud IaaS, as well as more generally. Our approach allows cross-tenant attribute assignment to provide access to shared resources across tenants. Particularly, our tenant-trust authorizes a trustee tenant to assign its attributes to users from a trustor tenant, enabling access to the trustee tenant’s resources. We designate our multi-tenant attribute-based access control model as MT-ABAC. Previously, a multi-tenant role-based access control (MT-RBAC) model has been defined in the literature wherein a trustee tenant can assign its roles to users from a trustor tenant. We demonstrate that MT-ABAC can be configured to enforce MT-RBAC thus subsuming it as a special case.