Graph-based access control: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 08:29, 15 July 2015 edit Prof schaller (talk \| contribs) 43 edits →See also ← Previous edit		Latest revision as of 02:27, 12 August 2024 edit undo Citation bot (talk \| contribs) Bots 5,865,395 edits Alter: url, title, template type. URLs might have been anonymized. Add: chapter-url, chapter, authors 1-1. Removed or converted URL. Removed parameters. Some additions/deletions were parameter name changes. \| Use this bot. Report bugs. \| Suggested by Abductive \| #UCB_toolbar
(69 intermediate revisions by 25 users not shown)
Line 1: '''Graph-based access control''' ('''GBAC''') is a ~~rather~~[[declarative ~~new~~programming\|declarative]] ~~technique~~way ~~for~~to ~~granting~~define ~~users~~[[access ofcontrol\|access rights]], task assignments, recipients and content in [[information ~~systems~~system]]s. ~~access~~Access rights toare ~~data~~granted to objects like files or documents, but also business objects such as an account. ItGBAC can also be used for the assignment of agents to tasks in workflow environments. Organizations are modeled as a specific kind of semantic graph comprising the organizational ~~structure~~units, the roles and functions as well as the human and automatic agents (i.a. ~~Compared~~persons, tomachines). The main difference with other approaches ~~like~~such as [[~~RBAC~~role-based access control]] or [[~~Attribute~~attribute-~~based_access_control\|ABAC~~based access control]] ~~the main difference~~ is that in GBAC access rights are defined using an ~~organization~~organizational query language instead of total enumeration. ▼ ~~{{User sandbox}}~~ ~~<!-- EDIT BELOW THIS LINE -->~~ ▲Graph-based access control is a rather new technique for granting users of information systems access rights to data objects like files or documents. It can also be used for the assignment of tasks in workflow environments. Organizations are modeled as a specific kind of semantic graph comprising the organizational structure, the roles and functions as well as the agents. Compared to other approaches like [[RBAC]] or [[Attribute-based_access_control\|ABAC]] the main difference is that in GBAC access rights are defined using an organization query language instead of total enumeration. == History == The foundations of GBAC go back to a research project named CoCoSOrg (Configurable Cooperation System) [<ref name="DISS">{{cite book \|last1=Schaller \|first1=Thomas \|url=https://www.researchgate.net/publication/220690241 \|title=Organisationsverwaltung in CSCW-Systemen - Dissertation \|date=1998 \|publisher=Bamberg University \|___location=Bamberg}}</ref>] (in English language please see <ref name="EOMAS">{{cite book \|last1=Lawall, Schaller, Reichelt \|url=https://www.researchgate.net/publication/283579217 \|title=Enterprise Architecture: A Formalism for Modelling Organizational Structures in Information Systems \|date=2014 \|publisher=Enterprise and Organizatinal Modeling and Simulation: 10th International Workshop CAiSE2014 \|___location=Thessaloniki}}</ref>) ~~where~~at ~~the~~Bamberg University. In CoCoSOrg an organization is represented as a semantic graph and a formal language ~~was~~is used to specify agents and their access rights in a workflow environment. Within the ~~project~~C-Org-Project ~~COrg~~at Hof University's Institute for Information Systems ([http://www.iisys.de/en/research/research-groups/information-management.html iisys]), the approach was extended by features like separation of duty, access control in virtual organizations <ref>{{cite journal\|last1=Lawall, Schaller, Reichelt\|title=Restricted Relations between Organizations for Cross-Organizational Processes\|journal=IEEE 16th Conference on Business Informatics (CBI), Geneva\|date=2014\|pages=~~74-80~~74–80}} [</ref> and subject-oriented access control .<ref>{{cite book\|last1=Lawall, Schaller, Reichelt\|title=S-BPM in the Wild: Role and Rights Management\|date=2015\|publisher=Springer\|___location=Berlin\|isbn=978-3-319-17541-6\|pages=~~171-186~~171–186\|edition=1}}</ref>].▼ ▲The foundations of GBAC go back to a research project named CoCoSOrg (Configurable Cooperation System) [<ref>{{cite book\|last1=Schaller\|first1=Thomas\|title=Organisationsverwaltung in CSCW-Systemen\|date=1998\|publisher=Bamberg University\|___location=Bamberg}}</ref>] (in English language please see <ref>{{cite book\|last1=Lawall, Schaller, Reichelt\|title=Enterprise Architecture: A Formalism for Modelling Organizational Structures in Information Systems\|date=2014\|publisher=Enterprise and Organizatinal Modeling and Simulation: 10th International Workshop CAiSE2014\|___location=Thessaloniki}}</ref>) where the organization graph and a formal language was used to specify agents and their access rights in a workflow environment. Within the project COrg the approach was extended by features like separation of duty, access control in virtual organizations <ref>{{cite journal\|last1=Lawall, Schaller, Reichelt\|title=Restricted Relations between Organizations for Cross-Organizational Processes\|journal=IEEE 16th Conference on Business Informatics (CBI),Geneva\|date=2014\|pages=74-80}} [</ref> and subject-oriented access control <ref>{{cite book\|last1=Lawall, Schaller, Reichelt\|title=S-BPM in the Wild: Role and Rights Management\|date=2015\|publisher=Springer\|___location=Berlin\|isbn=978-3-319-17541-6\|pages=171-186\|edition=1}}</ref>]. == Definition == Graph-based ~~Access~~access ~~Control~~control consists of two building blocks.: ▼ * A semantic graph modeling an organization ~~and~~ ▼ * aA query language.▼ === Organizational graph === ▲Graph-based Access Control consists of two building blocks. [[File:GBACOrgGraph.pdf\|thumb\|Organizational Graph in GBAC]] ▲* A semantic graph modeling an organization and ▲* a query language. The ~~organization~~organizational graph is divided into a type ~~and~~ and an instance level. On the instance level there are node types for ~~organization~~organizational units, functional units and agents. The basic structure of an organization is defined using ~~the~~ so called "structural ~~relation~~relations". ~~that~~They ~~defines~~define ~~which~~the "is part of"- relations between functional units ~~belongs~~and toorganizational ~~which~~units ~~organization~~as ~~unit~~well ~~and~~as ~~which~~the ~~agent~~mapping ~~fulfills~~of ~~which~~agents ~~function~~to functional units. Additionally there are specific relationship types like "deputyship" or ~~informs~~"informed_by". ~~that~~These types can be extended by the ~~user~~modeler. All relationships can be context sensitive ~~via~~through the usage of ~~attributes~~[[Predicate ~~defining~~(mathematical ~~constraints that have to be fulfilled in order for the arc to be valid~~logic)\|predicate]]s. ▼ ~~==== Organization Graph ====~~ ~~The~~On the type level isorganizational ~~used~~structures ~~for~~are ~~the~~described ~~purpose~~in ofa more general ~~re-usage~~manner. It consists of ~~organization~~organizational unit types, functional unit types and the same relationship types as on the instance level. ~~Types~~Type ~~are typical organization structures that~~definitions can be used to create new instances or reuse ~~organization~~organizational knowledge in case of exceptions (~~please~~for ~~see~~further ~~next~~reading ~~paragraph).~~see<ref name=DISS/><ref name=EOMAS />).▼ ▲The organization graph is divided into a type and and an instance level. On the instance level there are node types for organization units, functional units and agents. The basic structure of an organization is defined using the so called structural relation that defines which functional units belongs to which organization unit and which agent fulfills which function. Additionally there specific relationship types like deputyship or informs that can be extended by the user. All relationships can be context sensitive via the usage of attributes defining constraints that have to be fulfilled in order for the arc to be valid. ==== Query ~~Language~~language ====▼ ▲The type level is used for the purpose of re-usage. It consists of organization unit types, functional unit types and the same relationship types as on the instance level. Types are typical organization structures that can be used to create new instances or reuse organization knowledge in case of exceptions (please see next paragraph). In GBAC ~~the~~a query language is used to define aagents ~~set~~having ~~of agents~~certain ~~fulfilling~~characteristics ~~specific~~or ~~attributes~~abilities. The following table shows ~~how~~the ~~these~~usage ~~queries~~of ~~can~~the bequery ~~used~~language ~~within~~in the context of an access control matrix ~~to specify access rights to data objects~~. ▼ The first query means that all managers working for the company for more than asix ~~half year~~months can read the financial report, ~~and~~as ~~additionally~~well as the managers ~~that~~who are ~~empowered~~classified by the ~~usage~~flag ~~of specific flag~~"ReadFinancialReport". ▼ ▲==== Query Language ==== The daily financial report can only be written by the manager of the controlling department or ~~clerk~~clerks of the department ~~with~~that aare ~~specific~~enabled ~~flag.~~to do that (WriteFinancialReport==TRUE).▼ ▲In GBAC the query language is used to define a set of agents fulfilling specific attributes. The following table shows how these queries can be used within an access control matrix to specify access rights to data objects. ▲The first query means that all managers working for the company for more than a half year can read the financial report and additionally the managers that are empowered by the usage of specific flag. ▲The daily financial report can only be written by the manager of the controlling department or clerk of the department with a specific flag. {\| class="wikitable" Line 30 ⟶ 27: ! Data Object !! Read !! Write \|- \| Daily Financial Report \|\| Manager().(Now() - ~~Manager.~~HiringYear() > 0.5) OR Manager.ReadFinancialReport == TRUE \|\| Manager(Controlling) orOR Clerk(Controlling).WriteFinancialReport == TRUE \|} == Implementation == ~~== Relation to other Techniques ==~~ [[File:CORGUsage.jpg\|thumb\|Usage of C-Org]] GBAC was first implemented in the CoCoS Environment within the organizational server CoCoSOrg.<ref name=DISS /> == See also ==▼ In the C-Org-Project it was extended with more sophisticated features like separation of duty or access control in distributed environments. There is also a cloud-based implementation<ref>{{Cite book \|last1=Lawall \|first1=Alexander \|last2=Reichelt \|first2=Dominik \|last3=Schaller \|first3=Thomas \|chapter=Resource management and authorization for cloud services \|date=2015-04-23 \|title=Proceedings of the 7th International Conference on Subject-Oriented Business Process Management \|chapter-url=https://doi.org/10.1145/2723839.2723864 \|series=S-BPM ONE '15 \|___location=New York, NY, USA \|publisher=Association for Computing Machinery \|pages=18:1–18:8 \|doi=10.1145/2723839.2723864 \|isbn=978-1-4503-3312-2}}</ref> on IBM's [[Bluemix]]<ref>[http://www.ibm.com/cloud-computing/bluemix/?cm_mmc=search-gsn-_-branded-Bluemix-general-_-ibm%20bluemix-_-ger-bm-mkt-oww Bluemix]</ref> platform. In all implementations the server takes a query from a client system and resolves it to a set of agents. This set is sent back to the calling client as response. Clients can be file systems, database management systems, workflow management systems, physical security systems or even telephone servers. ~~[[RBAC]]~~ ~~Hypergraph-based Access Control~~ ▲== See also == {{columns-list\|colwidth=30em\| [[Access control list]] * [[Attribute-based access control]] (ABAC) * [[Capability-based security]] * [[Context-based access control]] (CBAC) * [[Discretionary access control]] (DAC) * [[Lattice-based access control]] (LBAC) * [[Mandatory access control]] (MAC) * [[Organisation-based access control]] (OrBAC) * [[Risk-based authentication]] * [[Role-based access control]] (RBAC) * [[RSBAC\|Rule-set-based access control (RSBAC)]] }} == References == <references/> [[Category:Access control]] [[Category:Computer access control]]