An Algebraic Model to Analyze Role-Based Access Control Policies

Role-Based Access Control (RBAC) is a well known access control model used to preserve the confidentiality of information by specifying the ability of users to access information based on their roles. Usually these policies would be manipulated by combining or comparing them especially when defined in a distributed way. Furthermore, these policies should satisfy predefined authorization constraints. In this paper, we present an algebraic model for specifying and analyzing RBAC policies. The proposed model enables us to specify policies and verify the satisfaction of predefined authorization constraints. Furthermore, the model allows us to combine policies and analyze their effect on predefined constraints. The model consists of few operators that give simplicity in specifying polices. We present a prototype tool used for facilitating the analysis.


Introduction
Many organizations require their information be stored securely so that it can be accessed only by legitimate users while others should be denied this access.One way to provide the confidentiality of information is to control its access and be limited to legitimate users only.Therefore, policies are specified to describe the allowed access for each user, and then mechanisms are implemented to enforce these policies.There are several access control approaches available in the literature to represent policies such as Discretionary Access Control (DAC) where a policy is determined by the owner of an object, Mandatory Access Control (MAC) which consists of rules that grant users access to resources, Role-Based Access Control (RBAC) that gives authorization to roles instead of individuals, and Attribute-Based Access Control (ABAC) which gives authorization based on the attributes of users instead of their identities.
RBAC is one of the most used approaches in organizations especially when the number of users is large.However, in such organizations, managing policies becomes complex.For example, an administrator may need to analyze the defined policies to ensure secure properties based on predefined constraints.A policy can be viewed as a rule which states a privilege of a user to access a specific object, whereas constraints are expressions defined to verify security properties.For example, a constraint can be stated as the developer cannot access the codes that are in quality assurance phase.Another constraint related to the hierarchy of rules could state that the division manager has more authority than the department manager.Therefore, any policy that gives an authorization to the department manager should give it as well to the division manager.There are different kinds of constraints presented in the literature such as constraints based on multi-level security as in (Bell & La Padula 1976) model.This model gives security labels to objects (e.g., information) and subjects (e.g., users).Each object and subject is assigned a security level.Bell-LaPadula model enforces its constraints by prohibiting any flow of information from a high level to a lower one.Other constraints are based on the Chinese wall model (Brewer & Nash 1989) that prohibits a user from accessing two sets of information that belong to the conflict set.However, these two models are restrictive i.e., do not give flexibility in defining policies and are not intended for RBAC.
Other models are presented in the literature that give flexibility in defining policies and enforcing predefined constraints such as (Ahn & Sandhu 2000), (Crampton 2003), (Jaeger & Tidswell 2001), (Sabri & Hiary 2016), and (Sabri 2015).However, these models do not allow calculation on policies, such as analyzing the effect of composing policies on the enforcement of constraints.
Managing policies, especially when defined from different resources, would require combining them to get a unified global policy, or comparing them to select the most restricted policy to apply.Several models are proposed in the literature to handle the composition of policies such as (Bonatti 2002) and (Wijesekera & Jajodia 2003) but not comparing them.
In this paper, we propose an algebraic model to analyze role-based access control policies.Our model is an information algebra (Kohlas & Stärk 2007).Information algebra is an abstract algebraic system that links several representations of information into one structure.Its main element is information which can be a policy.Each information is associated with a frame which can be seen as a classification to its parts e.g., role, object, subject, etc. Information algebra enables us through its operators to compare policies and combine them.The main contribution of this paper is proposing a comprehensive algebraic model to specify and analyze RBAC policies and enforce constraints.
The main features of the proposed algebraic model are: • The model allows specifying and enforcing constraints.
• The model allows combining and comparing policies.
• The proposed algebraic model allows having calculation.For example, it allows analyzing the effect of composing information on the satisfaction of a constraint.
• The model is based on a well-defined theory called information algebra which enables us to inherits all its theories.
• The model consists of few operators which gives simplicity in specifying and analyzing policies.The structure of the paper is as follows: Section 2 summarizes information algebra.Section 3 presents the proposed algebraic model and its application in analyzing policies.Section 4 demonstrates our prototype tool used in the analysis of access control policies.Section 5 presents related work.Finally, we conclude in Section 6.

Information Algebra
Kohlas and Stärk (Kohlas & Stärk 2007) introduced an abstract algebraic structure ((Φ,•), (,⋎,⋏), ↓, , ) to connect several representations of information such algebraic specifications, relational databases, modules, and constraint systems (Kohlas & Stärk 2007) and (Khedri, Chiang & Sabri 2013).Also, information algebra is used as an abstract structure to represent knowledge of agents in analyzing the flow of information in multi-agent system (Sabri, Khedri & Jaskolka 2009b).Information algebra contains a set of information Φ and an operator ⋅ to represent combining information.Furthermore, it contains a lattice of frames (,⋎,⋏) that gives a classification to the information with an ordering relation ≼.In addition, information algebra contains an operator ↓ to restrict an information to a part that belongs to a specific frame, and an operator d that gives the frame of an information.Each frame x contains an information called the empty information e x .Information algebra is any algebraic system that satisfies the following ten axioms.
(1) () = () Axioms 1 and 2 state that combining information is commutative and associative.Axiom 3 relates combining pieces of information to their frames.Axioms 4, 5, and 6 show properties of the empty information.Axioms 7 and 8 present properties of the restricting operator.Axioms 9 and 10 show properties of the combining and restricting operators together.

The Proposed Algebraic Model
In this section, we propose an algebraic model to represent role based access control and show that our model is information algebra, and therefore, reuse the theory of information algebra.In our model, a RBAC authorization policy is an information.We represent information as a function formulated as a set of 2-tuples (i,A) where i is an index used to classify an information and A is a set such as {(i, A), i ∈ J ∧ A ∈  }, where  is the set of all elements that are classified as i and J is a frame.We use the set Φ to represent the set of all authorization policies that can be defined in an organization, and use the set Φ p to denote the defined authorization policies in an organization.
The set of all possible classifications of information is the set of frames and is denoted by I such that  ∈ .The lattice D constructed from the frames is (℘(),∪,∩).In RBAC policies, the set of frames is I = {role, object, privilege} because a RBAC policy consists of a role, object, and a privilege.An empty information is defined as  ≜ {(, ∅) | ∈ }, where  ∈  is a frame.We call the structure  = (Φ , (Φ, ) a policy structure.
Definition 1 requires that an authorization policy should include information about role, object and privilege.For example, the information {(role, {manager}), (object, {file_1}), (privilege, {read})} is an authorization policy that states any user playing the role of manager can read from file_1.A policy in our structure states the allowed actions of subjects on resources.It does not include the prohibited actions.
A policy that contains an empty set is called partial policy such as {(role, {manager}), (object, {file_1}), (privilege, {}).In this paper, when we use the term policy we mean non-partial policy unless otherwise stated.The information {(role, {Alice}), (object, {file_1})} is not an authorization policy as the domain of the information is not I.
In addition to the knowledge of policies, RBAC contains knowledge that links roles to subjects  = (Φ , (Φ ,  ).For example, an information in that knowledge can be {(role, {Manager}), (subject, {Alice})} which indicates that Alice plays the role of manager.The frame of information in  is () = {, }.Later in this section, we show the way of relating privileges to subjects based on their roles.The next section discusses the different ways to combine policies and to compare them based on their flexibility.

Manipulating Policies
We present two ways of combining policies.The first one expands the authorization.For example, an organization may specify that the manager is allowed to read from file_1, and another organization specifies that the manager is allowed to write into file_1.By combining the two authorization policies, we get the policy {(role, {manager}), (object, {file_1}), (privilege, {read, write})} that allows the manager to read and write into file_1.We define this way of combining policies as follows: The domain of  and  is the same which is {role, object, privilege}.Usually, we represent the combining operator  •  as  (omit the dot).
Another way of combining policies is to restrict the privileges of the two policies by considering the common ones only.For example, by combining the authorization policy {(role, (manager}), (object, {file_1, file_2}), (privilege, {read})} with the policy {(role, {manager}), (object, {file_1}), (privilege, {read, write})} we get a more restricted policy that allows the manager to read from file_1 {(role, {manager}), (object, {file_1}), (privilege, {read})}.We define this operator as: In case no common privilege exists in  and , combining them  *  gives a partial policy.
It is proved in (Sabri, Khedri & Jaskolka 2009a) that (Φ,⋅) is an idempotent commutative semigroup.Therefore, it has a natural order ≤ such that  ≤  ⟺  •  =  .We use this relation to compare policies based on their flexibility.
Definition 2 (More restricted relation).An authorization policy  is more restricted than the authorization policy  iff all the privileges provided by  are also provided by .We denote that by  ≤ .

Composite Policy
An information can be a composite policy.For example, the information {(subject, {Bob}), (object, {file_2}), (privilege, {read, write})} is a composite policy that contains two authorizations.The first one indicates that Bob can read from file_2.The second one states that Bob can write into file_2.Definition 3 (Elementary Policy).Let , ,  be policies such that  ≠ .We call  an elementary policy iff ∀(,  | ,  ∈ Φ ∶  ≠ ).

Set of Policies
Usually, a set of authorization policies are defined to control the access of objects in an organization.These policies state the privileges of roles on objects.This is what we denote by Φ p .These policies can be either elementary or composite.For example, the following policies can be defined in an organization to state that the manager is allowed to write into file_1, while the developer is allowed to write into file_1 and read and write into file_2.
Based on the operators of our model, we define two functions on the set of information.The first function is isThereAPolicy defined formally as ℎ(, ) ≜ ∃( |  ∈ Φ ∶  ≤ ).This function checks the existence of a policy  in the policy structure  = (Φ , (Φ, )) that is more flexible than .In other words, this function checks the existence of a policy, within the defined authorization policies in an organization, that allows the request .The set Φ is the set of all possible policies, and Φ P is the set of defined policies in an organization.The second function extracts all policies satisfying a specific condition.The function is defined as (, , ) ≜  ↓  ∈  ∧  ≤  ∧  ⊆ ()} which returns pieces of information from the policy structure  that contain  after restricting them to the frame J.
We use these two functions to check the ability of a user to access an object.The user request consists of a subject, role and the requested action.We represent the access request as an information.Before authorizing a subject to access an object, the following steps should be performed • extract the role of the requested subject  ∈   , {},  ↓{ } .
• combine the role with the object and the requested privilege  =  •  ↓{ , } .
• verify the existence of a policy that gives an authorization to the requested access through the function ℎ(, ).
Furthermore, we can compare two set of polices based on their flexibility.To perform the comparison, we apply the function Singleton defined as (Φ) = {  |  ∈ Φ ∧  ∈ ()}.Then, use set operators to compare the two sets of policies.

Constraints Validation
In this section we present different kinds of constraints and show their representations within our algebraic model.
Hierarchy: An organization can state a constraint that the manager role should have more authority than the nurse role.To verify the compliance of a new defined policy in the organization with that constraint, we can perform the following check.Assume that  is the policy to be defined in the organization.Let  = {(role, {manager}) and  = {(role, {nurse}).The verification can be represented as  ≤  ⇒  ≤  which indicates that giving a nurse a privilege implies that the manager is given the same privilege.
Cardinality: An organization can state a constraint that no subject is assigned to more than one role.We can verify this constraint using the proposed algebraic model based on the  knowledge since it contains the association between roles and subjects.In order to perform the verification, we first assume that all the pieces of information in Φ are elementary which can be achieved by using the Singleton function.Then, we extract all the subjects from  as  = ( , {},  ∅ ).This function extracts all the available subjects i.e., having the empty information in the condition of the extract function.After that, we extract the set of roles for each subject and verify that the extracted set contains one role as ∀( |  ∈  ∶  = ( , {}, ) ∧ || = 1).
Another example of the cardinality is for example the total number of roles that can read from file_1 should be at least three.This constraint can be verified within our model as (, {}, ) > 3 where  = {(subject,{file_1}), (privilege, {read})}.
The verification is based on the extract function which depends on the relation  ≤  where  is a condition and  is an organization policy.It has been proved in (Sabri & Hiary 2017) that  ≤  ⇒  ≤ .Therefore, combining the policies of the organization  with other policies would not affect the satisfaction of the constraint ( ≤ ), and therefore, does not require rechecking.Furthermore, restricting the condition would not affect the constraint as well  ≤  ⇒  *  ≤ .
Separation of duties: An organization may state that two particular roles should never be assigned to the same person such as no user should play the role of developer and QA.This constraint can be verified by extracting all the subjects playing the role of developer and playing the role of QA.The intersection should be the empty set.

Related Work and Discussion
Several methods are available in the literature for specifying and analyzing access control policies.In this section, we summarize the most related models and compare them with the proposed one.(Fisler, Krishnamurthi, Meyerovich, & Tschantz,2005) present a formal way to verify policies written in xacml language related to known properties with the use of the software suite Margrave.An example of a property given in (Fisler et al. 2005) is that there is no student who can assign external grades.Also, an example of a policy is given as: Requests for students to receive external grades.We can represent this policy as {(role, {student}), (object, {ExternalGrades}), (privilege, {receive})} and perform the verification as described in the paper.(Crampton 2003) develops a setbased specification scheme for authorization constraints in role-based access control systems and suggests an enforcement model to satisfy these constraints.(Ahn & Sandhu 2000) introduce a formal language for specifying role-based authorization called RCL 2000.They apply the language to express authorization constraints such as separation of duties.Our model allows us, in addition to this kind of verification, to compose and compare policies.(Adi, Bouzida, Hattak, Logrippo, & Mankovskii 2009) use context expressions for specifying policies at different levels of abstraction, and define a type system to detect conflicts.(Bruns, Dantas, & Huth 2007) define an access control policy language as a four-valued predicate.The language is based on Belnap logic and the truth values corresponds to "grant", "deny", "conflict", and "undefined".This language is used in (Bruns & Huth 2008) for the analysis and composition of policies.Constraint logic programming is used by (Barker & Stuckey 2007) to represent an extension to the RBAC model which allows defining access policies that may include features, like denials of access and temporal authorizations.Furthermore, (Sabri & Obeid 2016) develop a theory based on defeasible logic to handle conflicting policies.However, this language is not used for specifying and enforcing constraints.
Also, algebraic methods are introduced in the literature for the analysis of access control policies.For example, the paper of (Bonatti, De Capitani di Vimercati, & Samarati 2002) proposes an algebra for composing policies.It provides an algebraic method for composing them such as union, intersection and difference.This paper does not provide a way of comparing the flexibility of policies.(Li & Wang 2006) introduce an algebra for the specification of high level policies that combine requirements of users' attributes with requirements of the number of users.Also, they study the potential mechanisms to enforce these policies and the complexity related to policy analysis and enforcement.However, the focus of this paper is on the separation of duties policies which is different from ours.(Wijesekera & Jajodia 2003) present a propositional algebra to model access control policy operators such as union, intersection, sequential composition, etc.However, the access control model of this paper is not RBAC.

Conclusion
In this paper, we present an algebraic model to specify and analyze Role-based Access Control (RBAC) authorization policies.We give a formal definition to a policy, and we distinguish between elementary and composite policies.Furthermore, we define operators on policies and set of policies.The main advantages of the structure is that it enables us to analyze RBAC policies at two different levels: policy level and set of policies level.Also, the presented model enables us to manipulate policies and sets of policies by combining and comparing them, check authorization constraints, and control user requests to access resources.
We developed a prototype tool implemented using Haskell programming language for the specification and manipulating of policies.As a future work we aim at extending the model to involve the set of prohibited objects from a set of user subjects and to detect potential conflicts as a result of combining policies.