From f9168083b787118af5577015a3c7f9efa63c8e80 Mon Sep 17 00:00:00 2001 From: mo khan Date: Mon, 17 Mar 2025 13:59:19 -0600 Subject: docs: read more papers from Dr. Philip W.L. Fong --- doc/share/authz/ABAC.md | 14 ++++++++++++++ doc/share/authz/POLICY.md | 2 ++ doc/share/authz/README.md | 7 +++++++ doc/share/authz/ReBAC.md | 18 ++++++++++++++++++ doc/share/authz/sns.dot | 5 +++++ doc/share/authz/sns.dot.png | Bin 0 -> 20506 bytes 6 files changed, 46 insertions(+) create mode 100644 doc/share/authz/sns.dot create mode 100644 doc/share/authz/sns.dot.png (limited to 'doc') diff --git a/doc/share/authz/ABAC.md b/doc/share/authz/ABAC.md index 2b50f168..bfe14041 100644 --- a/doc/share/authz/ABAC.md +++ b/doc/share/authz/ABAC.md @@ -1 +1,15 @@ # Attribute-Based Access Control (ABAC) + +> Attribute-based access control (ABAC) is considered one of th emost generalized +> forms of access control as it can capture the salient features of discretionary +> access (DAC), mandatory access control (MAC) and role-based access control +> (RBAC) using appropriate attributes such as access control lists, security +> labels and roles respectively. [5] + +## See Also + +* [Classifying and Comparing Attribute-Based and Relationship-Based Access Control][5] +* [A Capability-based Distributed Authorization System to Enforce Context-aware Permission Sequences][6] + +[5]: https://dl.acm.org/doi/pdf/10.1145/3029806.3029828 +[6]: https://dl.acm.org/doi/pdf/10.1145/3532105.3535014 diff --git a/doc/share/authz/POLICY.md b/doc/share/authz/POLICY.md index 30cca5fe..39a1128e 100644 --- a/doc/share/authz/POLICY.md +++ b/doc/share/authz/POLICY.md @@ -49,3 +49,5 @@ end class Issue end ``` + +[Social Network Graph](./sns.dot.png) diff --git a/doc/share/authz/README.md b/doc/share/authz/README.md index b750481e..7ab81669 100644 --- a/doc/share/authz/README.md +++ b/doc/share/authz/README.md @@ -26,6 +26,13 @@ Criteria for evaluating policy languages: * Must have concise documentation * Must provide ability to extend language using Ruby/Golang for describing complex policies. +Ideally, we must be able to model the following relationships: + +* `user-to-resource` +* `resource-to-resource` + +Note that `user-to-user` relationships are not currently represented in the existing access control model. + ## Organizational Hierarchy How does a permission cascade down a group hierarchy? diff --git a/doc/share/authz/ReBAC.md b/doc/share/authz/ReBAC.md index 4c9deb77..17d51a2e 100644 --- a/doc/share/authz/ReBAC.md +++ b/doc/share/authz/ReBAC.md @@ -28,6 +28,20 @@ essentially formulating the following policy: `grant p to user u if R(u)`. PriMA is another recently proposed privacy protection mechanism for SNSs. +Unlike [RBAC][4] and [ABAC][3], ReBAC policies deal with relational policies +rather than unary predicates on attributes and roles. + +In, Online Social Network (OSN) applications, authorization for users' access to +specific content is typically based on ther interpersonal relationships between +the accessing user and content owner. OSN ReBAC models user user-to-user +relationships. + +The user of indirect relations, also called multilevel or composite relations, +is fundamental to ReBAC (e.g. friend of friend). + +Recently, researchers have proposed extended ReBAC models applicable to other +computing systems beyond OSNs. + ## Access Control Policies Let `U` be the set of all users in the system. @@ -121,6 +135,10 @@ relationships can be "activated" simultaneously. * [Relationship-Based Access Control: Protection Model and Policy Language by Philip W. L. Fong][1] * [Learning Relationship-Based Access Control Policies from Black-Box Systems][2] +* [Classifying and Comparing Attribute-Based and Relationship-Based Access Control][5] [1]: https://cspages.ucalgary.ca/~pwlfong/Pub/codaspy2011.pdf [2]: https://dl.acm.org/doi/pdf/10.1145/3517121 +[3]: ./ABAC.md +[4]: ./RBAC.md +[5]: https://dl.acm.org/doi/pdf/10.1145/3029806.3029828 diff --git a/doc/share/authz/sns.dot b/doc/share/authz/sns.dot new file mode 100644 index 00000000..9197928c --- /dev/null +++ b/doc/share/authz/sns.dot @@ -0,0 +1,5 @@ +digraph { + Group -> Organization[label="belongs_to"]; + Project -> Group[label="belongs_to"]; + Issue -> Project[label="belongs_to"]; +} diff --git a/doc/share/authz/sns.dot.png b/doc/share/authz/sns.dot.png new file mode 100644 index 00000000..dc300923 Binary files /dev/null and b/doc/share/authz/sns.dot.png differ -- cgit v1.2.3