Commit f916808

mo khan <mo@mokhan.ca>
2025-03-17 19:59:19
docs: read more papers from Dr. Philip W.L. Fong
main
1 parent d981d42
Changed files (7)
doc
share
authz
ABAC.md
POLICY.md
README.md
ReBAC.md
sns.dot
sns.dot.png
magefile.go
doc/share/authz/ABAC.md
@@ -1,1 +1,15 @@
 # Attribute-Based Access Control (ABAC)
+
+> Attribute-based access control (ABAC) is considered one of th emost generalized
+> forms of access control as it can capture the salient features of discretionary
+> access (DAC), mandatory access control (MAC) and role-based access control
+> (RBAC) using appropriate attributes such as access control lists, security
+> labels and roles respectively. [5]
+
+## See Also
+
+* [Classifying and Comparing Attribute-Based and Relationship-Based Access Control][5]
+* [A Capability-based Distributed Authorization System to Enforce Context-aware Permission Sequences][6]
+
+[5]: https://dl.acm.org/doi/pdf/10.1145/3029806.3029828
+[6]: https://dl.acm.org/doi/pdf/10.1145/3532105.3535014
doc/share/authz/POLICY.md
@@ -49,3 +49,5 @@ end
 class Issue
 end
 ```
+
+[Social Network Graph](./sns.dot.png)
doc/share/authz/README.md
@@ -26,6 +26,13 @@ Criteria for evaluating policy languages:
 * Must have concise documentation
 * Must provide ability to extend language using Ruby/Golang for describing complex policies.
 
+Ideally, we must be able to model the following relationships:
+
+* `user-to-resource`
+* `resource-to-resource`
+
+Note that `user-to-user` relationships are not currently represented in the existing access control model.
+
 ## Organizational Hierarchy
 
 How does a permission cascade down a group hierarchy?
doc/share/authz/ReBAC.md
@@ -28,6 +28,20 @@ essentially formulating the following policy: `grant p to user u if R(u)`.
 
 PriMA is another recently proposed privacy protection mechanism for SNSs.
 
+Unlike [RBAC][4] and [ABAC][3], ReBAC policies deal with relational policies
+rather than unary predicates on attributes and roles.
+
+In, Online Social Network (OSN) applications, authorization for users' access to
+specific content is typically based on ther interpersonal relationships between
+the accessing user and content owner. OSN ReBAC models user user-to-user
+relationships.
+
+The user of indirect relations, also called multilevel or composite relations,
+is fundamental to ReBAC (e.g. friend of friend).
+
+Recently, researchers have proposed extended ReBAC models applicable to other
+computing systems beyond OSNs.
+
 ## Access Control Policies
 
 Let `U` be the set of all users in the system.
@@ -121,6 +135,10 @@ relationships can be "activated" simultaneously.
 
 * [Relationship-Based Access Control: Protection Model and Policy Language by Philip W. L. Fong][1]
 * [Learning Relationship-Based Access Control Policies from Black-Box Systems][2]
+* [Classifying and Comparing Attribute-Based and Relationship-Based Access Control][5]
 
 [1]: https://cspages.ucalgary.ca/~pwlfong/Pub/codaspy2011.pdf
 [2]: https://dl.acm.org/doi/pdf/10.1145/3517121
+[3]: ./ABAC.md
+[4]: ./RBAC.md
+[5]: https://dl.acm.org/doi/pdf/10.1145/3029806.3029828
doc/share/authz/sns.dot
@@ -0,0 +1,5 @@
+digraph {
+  Group -> Organization[label="belongs_to"];
+  Project -> Group[label="belongs_to"];
+  Issue -> Project[label="belongs_to"];
+}
doc/share/authz/sns.dot.png
Binary file
magefile.go
@@ -85,3 +85,12 @@ func Test(ctx context.Context) error {
 	})
 	return sh.RunV("go", "test", "-shuffle=on", "-v", "./...")
 }
+
+func Graphviz() error {
+	return sh.RunV("dot", "-Tpng", "-O", "doc/share/authz/sns.dot")
+}
+
+// Generate documentation
+func Docs(ctx context.Context) {
+	mg.CtxDeps(ctx, Graphviz)
+}