Attribute-based access control (ABAC) models are widely used to provide fine-grained and adaptable authorization based on the attributes of users, resources, and other relevant entities. Hierarchical group and attribute based access control (HGABAC) model was recently proposed which introduces the novel notion of attribute inheritance through group membership. GURA <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">G</sub> was subsequently proposed to provide an administrative model for user attributes in HGABAC, building upon the ARBAC97 and GURA administrative models. The GURA model uses administrative roles to manage user attributes. The reachability problem for the GURA model is to determine what attributes a particular user can acquire, given a predefined set of administrative rules. This problem has been previously analyzed in the literature. In this article, we study the user attribute reachability problem based on directly assigned attributes of the user and attributes inherited via group memberships. We first define a restricted form of GURA <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">G</sub> , called rGURA <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">G</sub> scheme, as a state transition system with multiple instances having different preconditions and provide reachability analysis for each of these schemes. In general, we show PSPACE-complete complexity for all rGURA <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">G</sub> schemes. We further present polynomial time algorithms with empirical experimental evaluation to solve special instances of rGURA <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">G</sub> schemes under restricted conditions.
Read full abstract