Attribute-Based Policy Evaluation Using Constraints Specification Language and Conflict Detections

Abstract

Attribute-based access control (ABAC) has attracted widespread interest and has become an ideal mechanism due to its flexibility characteristic and the powerful expressiveness for various security policies, such as the separation-of-duty constraint and cardinality constraint. The formulation of appropriate ABAC policies is critical for ensuring system security and robustness. However, conflicts occur frequently in existing state-of-the-art systems. Most conventional detection methods either lack the evaluation of the policy quality or consider no constraint. To resolve these problems, a novel method for the ABAC policy evaluation is proposed in this study. First, to meet diverse organizational requirements, we use the attribute-based constraints specification language to uniformly formulate and specify the conflict relations among attributes and present the satisfiability of conflict relations. Second, to comprehensively detect the conflict problems, we present the evaluation criteria for conflicts on attributes and rules and propose a novel algorithm for detecting conflicts. Last, we validate the effectiveness and efficiency of the proposal through experiments, which demonstrate that it not only improves the policy quality but also reduces the conflicting number and conflicting probability.