Graph-based access control: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 02:20, 5 September 2016 edit BattyBot (talk \| contribs) Bots 1,957,321 edits →top: General fixes, removed orphan tag using AWB ← Previous edit		Latest revision as of 02:27, 12 August 2024 edit undo Citation bot (talk \| contribs) Bots 5,863,424 edits Alter: url, title, template type. URLs might have been anonymized. Add: chapter-url, chapter, authors 1-1. Removed or converted URL. Removed parameters. Some additions/deletions were parameter name changes. \| Use this bot. Report bugs. \| Suggested by Abductive \| #UCB_toolbar
(17 intermediate revisions by 11 users not shown)
Line 1: '''Graph-based access control''' ('''GBAC''') is a [[declarative programming\|declarative]] way to define [[access control\|access rights]], task assignments, recipients and content in [[information ~~systems~~system]]s. ~~The access~~Access rights are granted to objects like files or documents, but also business objects ~~like~~such as an account. ItGBAC can also be used for the assignment of agents to tasks in workflow environments. Organizations are modeled as a specific kind of semantic graph comprising the organizational units, the roles and functions as well as the human and automatic agents (i.a. persons, machines). ~~Compared~~The tomain difference with other approaches ~~like~~such as [[role-based access control]] or [[attribute-based access control]]~~, the main difference~~ is that in GBAC access rights are defined using an organizational query language instead of total enumeration.▼ ~~{{Multiple issues\|~~ ~~{{more footnotes\|date=July 2015}}~~ ~~{{COI\|date=July 2015}}~~ }} ▲'''Graph-based access control''' (GBAC) is a [[declarative programming\|declarative]] way to define [[access control\|access rights]], task assignments, recipients and content in information systems. The access rights are granted to objects like files or documents, but also business objects like an account. It can also be used for the assignment of agents to tasks in workflow environments. Organizations are modeled as a specific kind of semantic graph comprising the organizational units, the roles and functions as well as the human and automatic agents (i.a. persons, machines). Compared to other approaches like [[role-based access control]] or [[attribute-based access control]], the main difference is that in GBAC access rights are defined using an organizational query language instead of total enumeration. == History == The foundations of GBAC go back to a research project named CoCoSOrg (Configurable Cooperation System) [<ref name = "DISS">{{cite book \|last1=Schaller \|first1=Thomas \|url=https://www.researchgate.net/publication/220690241 \|title=Organisationsverwaltung in CSCW-Systemen - Dissertation \|date=1998 \|publisher=Bamberg University \|___location=Bamberg}}</ref>] (in English language please see <ref name = "EOMAS">{{cite book \|last1=Lawall, Schaller, Reichelt \|url=https://www.researchgate.net/publication/283579217 \|title=Enterprise Architecture: A Formalism for Modelling Organizational Structures in Information Systems \|date=2014 \|publisher=Enterprise and Organizatinal Modeling and Simulation: 10th International Workshop CAiSE2014 \|___location=Thessaloniki}}</ref>) at Bamberg University. In CoCoSOrg an organization is represented as a semantic graph and a formal language is used to specify agents and their access rights in a workflow environment. Within the C-Org-Project at Hof University's Institute for Information Systems ([http://www.iisys.de/en/research/research-groups/information-management.html iisys]), the approach was extended by features like separation of duty, access control in virtual organizations <ref>{{cite journal\|last1=Lawall, Schaller, Reichelt\|title=Restricted Relations between Organizations for Cross-Organizational Processes\|journal=IEEE 16th Conference on Business Informatics (CBI), Geneva\|date=2014\|pages=74–80}}</ref> and subject-oriented access control.<ref>{{cite book\|last1=Lawall, Schaller, Reichelt\|title=S-BPM in the Wild: Role and Rights Management\|date=2015\|publisher=Springer\|___location=Berlin\|isbn=978-3-319-17541-6\|pages=171–186\|edition=1}}</ref>▼ ▲The foundations of GBAC go back to a research project named CoCoSOrg (Configurable Cooperation System) [<ref name = DISS>{{cite book\|last1=Schaller\|first1=Thomas\|title=Organisationsverwaltung in CSCW-Systemen - Dissertation\|date=1998\|publisher=Bamberg University\|___location=Bamberg}}</ref>] (in English language please see <ref name = EOMAS>{{cite book\|last1=Lawall, Schaller, Reichelt\|title=Enterprise Architecture: A Formalism for Modelling Organizational Structures in Information Systems\|date=2014\|publisher=Enterprise and Organizatinal Modeling and Simulation: 10th International Workshop CAiSE2014\|___location=Thessaloniki}}</ref>) at Bamberg University. In CoCoSOrg an organization is represented as a semantic graph and a formal language is used to specify agents and their access rights in a workflow environment. Within the C-Org-Project at Hof University's Institute for Information Systems ([http://www.iisys.de/en/research/research-groups/information-management.html iisys]), the approach was extended by features like separation of duty, access control in virtual organizations <ref>{{cite journal\|last1=Lawall, Schaller, Reichelt\|title=Restricted Relations between Organizations for Cross-Organizational Processes\|journal=IEEE 16th Conference on Business Informatics (CBI),Geneva\|date=2014\|pages=74–80}}</ref> and subject-oriented access control.<ref>{{cite book\|last1=Lawall, Schaller, Reichelt\|title=S-BPM in the Wild: Role and Rights Management\|date=2015\|publisher=Springer\|___location=Berlin\|isbn=978-3-319-17541-6\|pages=171–186\|edition=1}}</ref> == Definition == Graph-based ~~Access~~access ~~Control~~control consists of two building blocks: ▼ ▲Graph-based Access Control consists of two building blocks: * A semantic graph modeling an organization * A query language. === Organizational graph === [[File:GBACOrgGraph.pdf\|thumb\|Organizational Graph in GBAC]] The organizational graph is divided into a type and an instance level. On the instance level there are node types for organizational units, functional units and agents. The basic structure of an organization is defined using so called ~~″structural~~"structural ~~relations″~~relations". They define the "is part of"- relations between functional units and organizational units as well as the mapping of agents to functional units. Additionally there are specific relationship types like "deputyship" or "informed_by". These types can be extended by the modeler. All relationships can be context sensitive through the usage of ~~predicates~~[[Predicate (mathematical logic)\|predicate]]s. On the type level organizational structures are described in a more general manner. It consists of organizational unit types, functional unit types and the same relationship types as on the instance level. Type definitions can be used to create new instances or reuse organizational knowledge in case of exceptions (for further reading see <ref name=DISS/><ref name=EOMAS />). === Query language === In GBAC a query language is used to define agents having certain characteristics or abilities. The following table shows the usage of the query language in the context of an access control matrix. Line 41 ⟶ 32: == Implementation == [[File:CORGUsage.jpg\|thumb\|Usage of C-Org]] GBAC was first implemented in the CoCoS Environment within the organizational server CoCoSOrg.<ref name=DISS /> In the C-Org-Project it was extended with more sophisticated features like separation of duty or access control in distributed environments. There is also a cloud-based implementation <ref>{{~~cite~~Cite book \|last1=Lawall, ~~Schaller,~~\|first1=Alexander \|last2=Reichelt \|~~title~~first2=Dominik \|last3=Schaller \|first3=Thomas \|chapter=Resource ~~Management~~management and ~~Authorization~~authorization for ~~Cloud~~cloud services ~~Services~~\|date=2015-04-23 \|~~publisher~~title=Proceedings of the 7th International Conference on Subject-Oriented Business Process Management \|chapter-url=https://doi.org/10.1145/2723839.2723864 \|series=S-BPM ONE '15 \|___location=New York, ~~ACM~~NY, USA \|publisher=Association for Computing Machinery \|pages=18:1–18:8 \|doi=10.1145/2723839.2723864 \|isbn=978-1-4503-3312-2}}</ref> on IBM's [[~~BlueMix~~Bluemix]]<ref>[http://www.ibm.com/cloud-computing/bluemix/?cm_mmc=search-gsn-_-branded-Bluemix-general-_-ibm%20bluemix-_-ger-bm-mkt-oww ~~BlueMix~~Bluemix]</ref> platform. In all implementations the server takes a query from a client system and resolves it to a set of agents. This set is sent back to the calling client as response. Clients can be file systems, database management systems, workflow management systems, physical security systems or even telephone servers. == See also == {{columns-list\|2colwidth=30em\| * [[Access control list]] * [[Attribute-~~Based~~based ~~Access~~access ~~Control~~control]] (ABAC) * [[Capability-based security]]▼ * [[Context-based access control]] (CBAC) * [[Discretionary access control]] (DAC) Line 59 ⟶ 50: * [[Mandatory access control]] (MAC) * [[Organisation-based access control]] (OrBAC) * [[Risk-based authentication]]▼ * [[Role-based access control]] (RBAC) * [[RSBAC\|Rule-set-based access control (RSBAC)]] ▲* [[Capability-based security]] * [[Location-based authentication]] ▲* [[Risk-based authentication]] }}