Graph-based access control

This sandbox is in the article namespace. Either move this page into your userspace, or remove the {{User sandbox}} template.

Graph-based access control (GBAC) is a rather new technique for granting users of information systems access rights to objects like files or documents but also business objects like an account. It can also be used for the assignment of tasks in workflow environments. Organizations are modeled as a specific kind of semantic graph comprising the organizational units, the roles and functions as well as the agents. Compared to other approaches like RBAC or ABAC the main difference is that in GBAC access rights are defined using an organization query language instead of total enumeration.

History

The foundations of GBAC go back to a research project named CoCoSOrg (Configurable Cooperation System) [^[1]] (in English language please see ^[2]) at Bamberg University. In CoCoSOrg an organization is represented as a semantic graph and a formal language is used to specify agents and their access rights in a workflow environment. Within the C-Org-Project at Hof University's Institute for Information Systems (iisys) the approach was extended by features like separation of duty, access control in virtual organizations ^[3] and subject-oriented access control ^[4]].

Definition

Graph-based Access Control consists of two building blocks:

A semantic graph modeling an organization and
a query language.

Organization Graph

Organization Graph in GBAC

The organization graph is divided into a type and an instance level. On the instance level there are node types for organization units, functional units and agents. The basic structure of an organization is defined using the so called ″structural relation″ defining the ″is part of″- relations between functional units and organization unit as well as the mapping of agents to functional units. Additionally there are specific relationship types like ″deputyship″ or ″informs″ that can be extended by the user. All relationships can be context sensitive via the usage of predicates defining constraints that have to be true in order for the arc to be valid.

The type level is used for the purpose of re-usage. It consists of organization unit types, functional unit types and the same relationship types as on the instance level. Types are typical organization structures that can be used to create new instances or reuse organization knowledge in case of exceptions (for further reading see ^[1] ^[2]).

Query Language

In GBAC a query language is used to define a set of agents fulfilling specific attributes. The following table shows the usage of the query language within an access control matrix. The first query means that all managers working for the company for more than a half year can read the financial report and additionally the managers that are classified by a specific flag. The daily financial report can only be written by the manager of the controlling department or clerks of the department that have the explicit write right (WriteFinancialReport==TRUE).

Data Object	Read	Write
Daily Financial Report	Manager(*).(Now() - Manager.HiringYear() > 0.5 OR Manager.ReadFinancialReport == TRUE	Manager(Controlling) or Clerk(Controlling).WriteFinancialReport==TRUE

Implementation

Usage of CORG

The C-Org Server maintains the organization graph and accepts queries according to the syntax of the organization language. After receiving, a query is resolved to a set of agents that is send back to the calling client as response. Clients of C-Org can be file systems, database management systems, workflow management systems, physical security systems or even telephone servers. C-Org was also implemented as service on IBM's bluemix platform.

References

^ ^a ^b Schaller, Thomas (1998). Organisationsverwaltung in CSCW-Systemen - Dissertation. Bamberg: Bamberg University.
^ ^a ^b Lawall, Schaller, Reichelt (2014). Enterprise Architecture: A Formalism for Modelling Organizational Structures in Information Systems. Thessaloniki: Enterprise and Organizatinal Modeling and Simulation: 10th International Workshop CAiSE2014.{{cite book}}: CS1 maint: multiple names: authors list (link) CS1 maint: publisher ___location (link)
^ Lawall, Schaller, Reichelt (2014). "Restricted Relations between Organizations for Cross-Organizational Processes". IEEE 16th Conference on Business Informatics (CBI),Geneva: 74–80.{{cite journal}}: CS1 maint: multiple names: authors list (link) [
^ Lawall, Schaller, Reichelt (2015). S-BPM in the Wild: Role and Rights Management (1 ed.). Berlin: Springer. pp. 171–186. ISBN 978-3-319-17541-6.{{cite book}}: CS1 maint: multiple names: authors list (link)

[DISS-1] Schaller, Thomas (1998). Organisationsverwaltung in CSCW-Systemen - Dissertation. Bamberg: Bamberg University.

[EOMAS-2] Lawall, Schaller, Reichelt (2014). Enterprise Architecture: A Formalism for Modelling Organizational Structures in Information Systems. Thessaloniki: Enterprise and Organizatinal Modeling and Simulation: 10th International Workshop CAiSE2014.{{cite book}}: CS1 maint: multiple names: authors list (link) CS1 maint: publisher ___location (link)

[3] Lawall, Schaller, Reichelt (2014). "Restricted Relations between Organizations for Cross-Organizational Processes". IEEE 16th Conference on Business Informatics (CBI),Geneva: 74–80.{{cite journal}}: CS1 maint: multiple names: authors list (link) [

[4] Lawall, Schaller, Reichelt (2015). S-BPM in the Wild: Role and Rights Management (1 ed.). Berlin: Springer. pp. 171–186. ISBN 978-3-319-17541-6.{{cite book}}: CS1 maint: multiple names: authors list (link)

[1]

[2]

[3]

[4]