Relationship-based access control (ReBAC) has been widely studied and applied in the domain of online social networks, and has since been extended to domains beyond social. Using ReBAC itself to manage ReBAC also becomes a natural research frontier, where we have two ReBAC administrative models proposed recently by Rizvi et al. [30] and Stoller [33]. In this paper, we extend these two ReBAC administrative models in order to apply ReBAC beyond online social networks, particularly where edges can have dependencies with each other and authorization for certain administrative operations requires provenance information. Basically, our policy specifications adopt the concepts of enabling precondition and applicability preconditions from Rizvi et al. [30]. Then, we address several issues that need to be considered in order to properly execute operation effects, such as cascading revocation and integrity constraints on the relationship graph. With these extended features, we show that our administrative models can provide the administration capability of the MT-RBAC model originally designed for multi-tenant collaborative cloud systems [34].
An authorization model for group-centric organizational collaboration has been recently proposed wherein multiple organizations may collaborate via groups [3]. Each group is independent of all others and adheres to the formal semantics of Group-Centric Secure Information Sharing models (g-SIS) [2], [4]. Motivated by [3], in this paper, we develop a model for group-centric collaboration in which an organization forms groups to collaborate with outside consultants on specific projects. A core principle is that such outsiders cannot fit in the existing organizational access control structure as they are not "true insiders" but rather "expedient insiders." In our proposed model, each group duplicates the organizational access control structure in an identical but separate copy-initially without any assignment of users or objects. The group is then populated and maintained by bringing selected true insiders, expedient insiders, and objects together to enable collaboration. The formal model consists of administrative and operational parts covering the complete life-cycle. While the general concepts are applicable regardless of the specific models used for the organizational access control structure, to be concrete we consider the specific case of multilevel systems that enforce lattice-based access control [7].
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.