A Datalog-Based workflow for Generating and Translating Relationship-Based Access Control Policies.
This project implements a Datalog-Based workflow for generating and translating Relationship-Based Access Control (ReBAC) policies. The workflow consists of two main phases:
- Phase 1: Policy Generation: Generating ReBAC policies in Datalog format from natural language statements and xacml specifications by using LLM.
- Phase 2: Policy Translation: Translating policies from Datalog format to the four representative ReBAC models' specific policies.
- Carminati et al.'s ReBAC Model
- Fong et al.'s ReBAC Model
- Cheng et al.'s ReBAC Model
- Crampton et al.'s ReBAC Model
Coming soon...
Coming soon...
The translation algorithm converts Datalog policies to Cheng et al.'s UURAC (User-to-User Relationship-based Access Control) model.
| Policy Type | Specification | Description |
|---|---|---|
| Accessing User Policy (AUP) | ⟨action, (start, path rule)⟩ |
Outgoing action policies |
| Target User Policy (TUP) | ⟨action−1, (start, path rule)⟩ |
Incoming action policies for users |
| Target Resource Policy (TRP) | ⟨action−1, r_t, (start, path rule)⟩ |
Policies for resources |
| System Policy for User | ⟨action, (start, path rule)⟩ |
System-wide user policies |
| System Policy for Resource | ⟨action−1, r.type, (start, path rule)⟩ |
System-wide resource policies |
GraphRule ::= (⟨StartingNode⟩, ⟨PathRule⟩)
PathRule ::= ⟨PathSpecExp⟩ | ⟨PathSpecExp⟩ ⟨Connective⟩ ⟨PathRule⟩
Connective ::= or | and
PathSpecExp ::= ⟨PathSpec⟩ | ¬⟨PathSpec⟩
PathSpec ::= (⟨Path⟩, ⟨HopCount⟩) | (∅, ⟨HopCount⟩)
Path ::= ⟨TypeExp⟩ | ⟨TypeExp⟩ ⟨Path⟩
TypeExp ::= ⟨TypeSpecifier⟩ | ⟨TypeSpecifier⟩ ⟨Wildcard⟩
StartingNode ::= u_a | u_t | u_c
Wildcard ::= * | ? | +
| Datalog | UURAC |
|---|---|
| Relationship predicates | Path expressions (TypeExp) |
not predicate |
Negated PathSpecExp (¬) |
| Multiple conditions | AND-connected PathRule |
| User-to-user actions | AccessingUserPolicy / TargetUserPolicy |
| User-to-resource actions | TargetResourcePolicy |
Coming soon...
The four ReBAC models targeted in this project are based on the following papers.
- Carminati et al.'s:
@inproceedings{10.1145/1542207.1542237, author = {Carminati, Barbara and Ferrari, Elena and Heatherly, Raymond and Kantarcioglu, Murat and Thuraisingham, Bhavani}, title = {A semantic web based framework for social network access control}, year = {2009}, isbn = {9781605585376}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/1542207.1542237}, doi = {10.1145/1542207.1542237}, }
- Fong et al.'s:
@inproceedings{10.1145/1943513.1943539, author = {Fong, Philip W.L.}, title = {Relationship-based access control: protection model and policy language}, year = {2011}, isbn = {9781450304665}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/1943513.1943539}, doi = {10.1145/1943513.1943539}, booktitle = {Proceedings of the First ACM Conference on Data and Application Security and Privacy}, pages = {191–202}, numpages = {12}, keywords = {social networks, relationship-based access control, policy language, modal logic, electronic health records, contexts}, location = {San Antonio, TX, USA}, series = {CODASPY '11} }
- Cheng et al.'s:
@InProceedings{10.1007/978-3-642-31540-4_2, author="Cheng, Yuan and Park, Jaehong and Sandhu, Ravi", editor="Cuppens-Boulahia, Nora and Cuppens, Fr{\'e}d{\'e}ric and Garcia-Alfaro, Joaquin", title="A User-to-User Relationship-Based Access Control Model for Online Social Networks", booktitle="Data and Applications Security and Privacy XXVI", year="2012", publisher="Springer Berlin Heidelberg", address="Berlin, Heidelberg", pages="8--24", isbn="978-3-642-31540-4" }
- Crampton et al.'s:
@inproceedings{10.1145/2613087.2613094, author = {Crampton, Jason and Sellwood, James}, title = {Path conditions and principal matching: a new approach to access control}, year = {2014}, isbn = {9781450329392}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/2613087.2613094}, doi = {10.1145/2613087.2613094}, booktitle = {Proceedings of the 19th ACM Symposium on Access Control Models and Technologies}, pages = {187–198}, numpages = {12}, keywords = {access control, authorization, path condition, principal matching, relationship}, location = {London, Ontario, Canada}, series = {SACMAT '14} }