Analysis of the methods for attribute-based access control

The paper contains an analytical overview of the basic models and methods for access control from the traditional ones (DAC, MAC, RBAC) to the latest developments — numerous models implementing attribute based access control (ABAC). The model of typed attribute based access control (TAAC) being developed currently is described. The following disadvantages of traditional models are pointed out: identification of entities with unique names; access rights redundancy (“coarse-grained access control”); difficult managing large number of users; operating in closed environments; the inability to use integrated security policies; lack of built-in administration tools. It is found out that to ensure the safe sharing of information resources in both local and global computing environments, access control models must meet the requirements of universality, flexibility and ease of administration while performing the following tasks: identification of entities by several features for fine-grained access control; design and use of multiple access control policies to implement the “multiple policy” paradigm and adapt the system to work in various environments; administration as a means for dynamic policy modeling and convenient privilege managing a large number of users. The advantages and disadvantages of different types of ABAC models are considered. The advantages are: identification of entities by sets of attributes; “fine-grained access control”; flexibility and expressiveness of model specification languages; the possibility of creating new and modeling traditional methods of access control; relative ease of administration; managing privileges of groups of users. The main disadvantage of ABAC is the complexity of calculating attribute values. It is shown that the TAAC models meet the above requirements and provide the following: “fine-grained access control” by identifying entities with the sets of typed attributes; decrease in complexity and increase in speed of calculations; management privileges of hierarchical groups of subjects and objects; dynamic policy construction; multi-criteria access control.