Access control models have been developed to control authorized access to sensitive resources. This control of access is important as there is now a need for collaborative resource sharing between multiple organizations over open environments like the internet. Although there are multiple access control models that are being widely used, these models are providing access control within a closed environment i.e. within the organization using it. These models have restricted capabilities in providing access control in open environments. Attribute-Based Access Control (ABAC) has emerged as a powerful access control model to bring fine-grained authorization to organizations that possess sensitive data and resources and want to collaborate over open environments. In an ABAC system, access to resources that an organization possess can be controlled by applying policies on attributes of the users. These policies are conditions that need to be satisfied by the requester in order to gain access to the resource. In this paper, we provide an introduction to ABAC and by carrying forward the architecture of ABAC, we propose a Decentralized Policy Information Point (PIP) model. Our model proposes the decentralization of PIP, which is an entity of the ABAC model that allows the storage and query of user attributes and enforces fine-grained access control for controlling the access of sensitive resources over multiple domains. Our model makes use of the concept of a cryptographic primitive called Attribute-Based Signature (ABS) to keep the identities of the users involved, private. Our model can be used for collaborative resource sharing over the internet. The evaluation of our model is also discussed to reflect the application of the proposed decentralized PIP model.
翻译:为了控制经授权的敏感资源的获取,开发了准入控制模式,以控制经授权的敏感资源的获取。这种访问控制非常重要,因为现在需要多个组织在互联网等开放环境中合作分享资源。虽然目前广泛使用多种准入控制模式,但这些模式正在封闭环境中提供准入控制,即使用该模式的组织内部。这些模式限制了在开放环境中提供访问控制的能力。基于属性的访问控制(ABAC)已经成为一种强大的准入控制模式,为拥有敏感数据和资源并希望在开放环境中合作的组织提供细微授权。在ABAC系统中,一个组织拥有的资源的获取权可以通过实施用户属性政策来控制。这些政策是请求者需要满足的条件,才能获取资源。在本文中,我们向ABAC提供对开放控制功能的开放控制。我们提出的分散化政策信息模式(PIP)模式(PIP)也提议下放PIP,这是ABAC模型的一个实体,允许对用户属性的存储和查询,可以对用户属性进行控制。在使用我们英基BSA的用户访问控制模式上,我们使用的智能数据库用户访问控制了我们使用的智能访问模式。