A Category-Based Model for ABAC

In Attribute-Based Access Control (ABAC) systems, access to resources is controlled by evaluating rules against the attributes of the user and the object involved in the access request, as well as the values of the relevant attributes from the environment. This is a powerful concept: ABAC is able to enforce DAC and RBAC policies, as well as more general, dynamic access control policies, where the decision to grant or deny an access request is based on the system's state. However, in its current definition, ABAC does not lend itself well to some operations, such as review queries, and it is in general more costly to specify and maintain than simpler systems such as RBAC. To address these issues, in this paper we propose a formal model of ABAC based on the notion of a category that underlies the general category-based metamodel of access control (CBAC). Our proposed approach adds structure to ABAC, so that policies are easier to design and understand, review queries become easy to evaluate, and simple systems such as RBAC can be implemented as instances of ABAC without additional costs.