Graph-based access control: Difference between revisions

Graph-based access control (GBAC) is a rather new technique for granting users of information systems access rights to objects like files or documents but also business objects like an account. It can also be used for the assignment of tasks in workflow environments. Organizations are modeled as a specific kind of semantic graph comprising the organizational structureunits, the roles and functions as well as the agents. Compared to other approaches like [[RBAC]] or [[Attribute-based_access_control|ABAC]] the main difference is that in GBAC access rights are defined using an organization query language instead of total enumeration.

The foundations of GBAC go back to a research project named CoCoSOrg (Configurable Cooperation System) [<ref name = DISS>{{cite book|last1=Schaller|first1=Thomas|title=Organisationsverwaltung in CSCW-Systemen - Dissertation|date=1998|publisher=Bamberg University|___location=Bamberg}}</ref>] (in English language please see <ref name = EOMAS>{{cite book|last1=Lawall, Schaller, Reichelt|title=Enterprise Architecture: A Formalism for Modelling Organizational Structures in Information Systems|date=2014|publisher=Enterprise and Organizatinal Modeling and Simulation: 10th International Workshop CAiSE2014|___location=Thessaloniki}}</ref>) where thean organization was modeled as a semantic graph and a formal language was used to specify agents and their access rights in a workflow environment. Within the project COrg-Project at Hof Universities Institute for Information Systems (iisys) the approach was extended by features like separation of duty, access control in virtual organizations <ref>{{cite journal|last1=Lawall, Schaller, Reichelt|title=Restricted Relations between Organizations for Cross-Organizational Processes|journal=IEEE 16th Conference on Business Informatics (CBI),Geneva|date=2014|pages=74-80}} [</ref> and subject-oriented access control <ref>{{cite book|last1=Lawall, Schaller, Reichelt|title=S-BPM in the Wild: Role and Rights Management|date=2015|publisher=Springer|___location=Berlin|isbn=978-3-319-17541-6|pages=171-186|edition=1}}</ref>].

Graph-based Access Control consists of two building blocks.:

The organization graph is divided into a type and and an instance level. On the instance level there are node types for organization units, functional units and agents. The basic structure of an organization is defined using the so called structural″structural relationrelation″ thatdefining definesthe which″is functionalpart unitsof″- belongsrelations tobetween whichfunctional units and organization unit andas whichwell agentas fulfillsthe whichmapping functionof agents to functional units. Additionally there are specific relationship types like deputyship″deputyship″ or informs″informs″ that can be extended by the user. All relationships can be context sensitive via the usage of attributespredicates defining constraints that have to be fulfilledtrue in order for the arc to be valid.

In GBAC thea query language is used to define a set of agents fulfilling specific attributes. The following table shows howthe theseusage queriesof canthe bequery usedlanguage within an access control matrix to specify access rights to data objects.

The first query means that all managers working for the company for more than a half year can read the financial report and additionally the managers that are empoweredclassified by the usage ofa specific flag.

The daily financial report can only be written by the manager of the controlling department or clerkclerks of the department withthat ahave specificthe flagexplicit write right (WriteFinancialReport==TRUE).