Ontology-based Evaluation of ABAC Policies for Inter-Organizational Resource Sharing

Attribute-based Access Control (ABAC), as the name suggests, determines whether an access request be granted based on the attributes or characteristics of the requesting user, those of the requested resource, and the environmental condition in which the request is generated. An important advantage of such an identity-agnostic model is that access control can be imposed even on users from other organizations if they are able to prove their attributes to the reference monitor of the organization whose resources are being accessed. It would, however, require a mechanism for mapping the attributes and their values among these organizations. We propose an ontology based method for addressing this requirement. Besides meeting the needs of collaborative accesses, we show how such an approach can be made to naturally support hierarchical ABAC policies as well as controlled relaxation during policy enforcement.