diff options
| author | mo khan <mo@mokhan.ca> | 2025-03-17 13:59:19 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-03-17 13:59:19 -0600 |
| commit | f9168083b787118af5577015a3c7f9efa63c8e80 (patch) | |
| tree | db1b638972998b80555e31dbade60c69e0a30d91 | |
| parent | d981d42202701b3bcd39399cb7f06e0825dff06d (diff) | |
docs: read more papers from Dr. Philip W.L. Fong
| -rw-r--r-- | doc/share/authz/ABAC.md | 14 | ||||
| -rw-r--r-- | doc/share/authz/POLICY.md | 2 | ||||
| -rw-r--r-- | doc/share/authz/README.md | 7 | ||||
| -rw-r--r-- | doc/share/authz/ReBAC.md | 18 | ||||
| -rw-r--r-- | doc/share/authz/sns.dot | 5 | ||||
| -rw-r--r-- | doc/share/authz/sns.dot.png | bin | 0 -> 20506 bytes | |||
| -rw-r--r-- | magefile.go | 9 |
7 files changed, 55 insertions, 0 deletions
diff --git a/doc/share/authz/ABAC.md b/doc/share/authz/ABAC.md index 2b50f16..bfe1404 100644 --- a/doc/share/authz/ABAC.md +++ b/doc/share/authz/ABAC.md @@ -1 +1,15 @@ # Attribute-Based Access Control (ABAC) + +> Attribute-based access control (ABAC) is considered one of th emost generalized +> forms of access control as it can capture the salient features of discretionary +> access (DAC), mandatory access control (MAC) and role-based access control +> (RBAC) using appropriate attributes such as access control lists, security +> labels and roles respectively. [5] + +## See Also + +* [Classifying and Comparing Attribute-Based and Relationship-Based Access Control][5] +* [A Capability-based Distributed Authorization System to Enforce Context-aware Permission Sequences][6] + +[5]: https://dl.acm.org/doi/pdf/10.1145/3029806.3029828 +[6]: https://dl.acm.org/doi/pdf/10.1145/3532105.3535014 diff --git a/doc/share/authz/POLICY.md b/doc/share/authz/POLICY.md index 30cca5f..39a1128 100644 --- a/doc/share/authz/POLICY.md +++ b/doc/share/authz/POLICY.md @@ -49,3 +49,5 @@ end class Issue end ``` + +[Social Network Graph](./sns.dot.png) diff --git a/doc/share/authz/README.md b/doc/share/authz/README.md index b750481..7ab8166 100644 --- a/doc/share/authz/README.md +++ b/doc/share/authz/README.md @@ -26,6 +26,13 @@ Criteria for evaluating policy languages: * Must have concise documentation * Must provide ability to extend language using Ruby/Golang for describing complex policies. +Ideally, we must be able to model the following relationships: + +* `user-to-resource` +* `resource-to-resource` + +Note that `user-to-user` relationships are not currently represented in the existing access control model. + ## Organizational Hierarchy How does a permission cascade down a group hierarchy? diff --git a/doc/share/authz/ReBAC.md b/doc/share/authz/ReBAC.md index 4c9deb7..17d51a2 100644 --- a/doc/share/authz/ReBAC.md +++ b/doc/share/authz/ReBAC.md @@ -28,6 +28,20 @@ essentially formulating the following policy: `grant p to user u if R(u)`. PriMA is another recently proposed privacy protection mechanism for SNSs. +Unlike [RBAC][4] and [ABAC][3], ReBAC policies deal with relational policies +rather than unary predicates on attributes and roles. + +In, Online Social Network (OSN) applications, authorization for users' access to +specific content is typically based on ther interpersonal relationships between +the accessing user and content owner. OSN ReBAC models user user-to-user +relationships. + +The user of indirect relations, also called multilevel or composite relations, +is fundamental to ReBAC (e.g. friend of friend). + +Recently, researchers have proposed extended ReBAC models applicable to other +computing systems beyond OSNs. + ## Access Control Policies Let `U` be the set of all users in the system. @@ -121,6 +135,10 @@ relationships can be "activated" simultaneously. * [Relationship-Based Access Control: Protection Model and Policy Language by Philip W. L. Fong][1] * [Learning Relationship-Based Access Control Policies from Black-Box Systems][2] +* [Classifying and Comparing Attribute-Based and Relationship-Based Access Control][5] [1]: https://cspages.ucalgary.ca/~pwlfong/Pub/codaspy2011.pdf [2]: https://dl.acm.org/doi/pdf/10.1145/3517121 +[3]: ./ABAC.md +[4]: ./RBAC.md +[5]: https://dl.acm.org/doi/pdf/10.1145/3029806.3029828 diff --git a/doc/share/authz/sns.dot b/doc/share/authz/sns.dot new file mode 100644 index 0000000..9197928 --- /dev/null +++ b/doc/share/authz/sns.dot @@ -0,0 +1,5 @@ +digraph { + Group -> Organization[label="belongs_to"]; + Project -> Group[label="belongs_to"]; + Issue -> Project[label="belongs_to"]; +} diff --git a/doc/share/authz/sns.dot.png b/doc/share/authz/sns.dot.png Binary files differnew file mode 100644 index 0000000..dc30092 --- /dev/null +++ b/doc/share/authz/sns.dot.png diff --git a/magefile.go b/magefile.go index ec6dac1..fba423f 100644 --- a/magefile.go +++ b/magefile.go @@ -85,3 +85,12 @@ func Test(ctx context.Context) error { }) return sh.RunV("go", "test", "-shuffle=on", "-v", "./...") } + +func Graphviz() error { + return sh.RunV("dot", "-Tpng", "-O", "doc/share/authz/sns.dot") +} + +// Generate documentation +func Docs(ctx context.Context) { + mg.CtxDeps(ctx, Graphviz) +} |
