2

I am asked to answer a question that says:

One online book-store wants to grand access to clients regarding their subscription. There are 3 types of subscriptions A , B and C. Customers get access in the subscription type they chose. Also if a book is not listed in the subscription list it's free for all and , every 15th of every month all books are free.
1) Describe with formal representation the above policy on ABAC.
2) How many roles does the RBAC model needs and which?

I have studied the Al-Kahtani & Sandhu paper, that only covers the RBAC, but not ABAC.
In my understanding I have to set 2 rules for ABAC.
First rule will let the 3 types of subscribers to have free all unlisted books. Second rule will contain an (e) date as 15th which will all books will be free. Or is it something completely different?

As far as RBAC goes, I need 3 roles regarding subscription names.

Any help appreciated as I kind find any literature that has an ABAC policy formulation example.

David Brossard
  • 1,360
  • 7
  • 16
Jamesgr
  • 23
  • 2

1 Answers1

1

Axiomatics provides an authorization policy lifecycle that will help you formulate your ABAC policy.

  1. Define the use case
  2. Define the use case’s authorization requirements in natural language statements
  3. Identify the attributes that are used in the natural language statements
  4. Identify where the attributes comes from
  5. Rework the natural language statements as attribute-based rules
  6. Define the test cases
  7. Connect the dots: draw an architecture diagram of the overall system

Let's work through your example.

Use Case

One online book-store wants to grand access to clients regarding their subscription. There are 3 types of subscriptions A , B and C.

Authorization requirements

  1. Customers get access in the subscription type they choose.
  2. If a book is not listed in the subscription list it's free for all.
  3. Every 15th of every month all books are free.

Identify attributes

User Attributes

  1. User role e.g. customer
  2. User subscription plan e.g. A, B, C
  3. Optionally customer status (active, inactive)

Resource Attributes

  1. Book subscription plan

Action Attributes

  1. Action id e.g. view, delete, approve...

Contextual Attributes

  1. Date / Day of the month

Identify the source of the attributes

In this stage you define whether the attributes come from a database, an LDAP, a web service... This is more of an implementation / deployment concern. In this theoretical exercise, you can skip this step.

Rework the natural language statements as attribute-based

  1. A user with the role == customer can do the action == download on an object of type == book if customer.subscription == book.subscription
  2. A user with the role == customer can do the action == download on an object of type == book if book.subscription == ''
  3. A user with the role == customer can do the action == download on an object of type == book if date.day == '15'

In conclusion it means your RBAC model needs a single role, customer.

You can use the ALFA language to model your policies and convert them into XACML, the eXtensible Access Control Markup Language.

David Brossard
  • 1,360
  • 7
  • 16
  • 1
    Thanks for the reply , i now understand where i've been wrong , thus leading me to the conclusion that i needed 3 roles for the RBAC model. – Jamesgr Jan 22 '16 at 10:01