A Scalable Permission Management System With Support of Conditional and Customized Attributes

TL;DR

This paper introduces a scalable, flexible permission management system that supports customized and conditional attributes, enhancing traditional ABAC models with a novel string-based resource naming strategy and a secure, efficient architecture.

Contribution

It proposes a new string-based resource naming scheme and system architecture that enable customized, conditional permissions, improving scalability and flexibility over existing ABAC solutions.

Findings

Developed a string-based resource naming strategy

Designed a scalable and secure system architecture

Presented proof of concept and experimental results

Abstract

Along with the classical problem of managing multiple identities, actions, devices, APIs etc. in different businesses, there has been an escalating need for having the capability of flexible attribute based access control~(ABAC) mechanisms. In order to fill this gap, several variations of ABAC model have been proposed such as \textit{Amazon's AWS IAM}, which uses JSON as their underlying storage data structure and adds policies/constraints as fields over the regular ABAC. However, these systems still do not provide the capability to have customized permissions and to perform various operations (such as comparison/aggregation) on them. In this paper, we introduce a string based resource naming strategy that supports the customized and conditional permissions for resource access. Further, we propose the basic architecture of our system which, along with our naming scheme, makes the system scalable, secure, efficient, flexible and customizable. Finally, we present the proof of concept for our algorithm as well as the experimental set up and the future trajectory for this work.