Research On Authorization Recycling In Attribute-Based Access Control

Traditional access control systems have certain disadvantages.For instance,the PDP(Policy Decision Point)may be a malfunctioning point or latent performance bottleneck that can reduce system availability.Additionally,the communication delay between the PDP and the PEP(Policy Enforcement Point)can cause high authorization overhead.An efficient authorization recycling mechanism can make full use of the previous access control decisions fetched from the PDP to increase the upcoming access control decision's efficiency.The ABAC(Attribute-Based Access Control)has the advantages of flexibility,scalability,and fine-granularity,which overcomes traditional access control schemes' limitations.This paper presents an ABAC model based on Boolean expressions of subject and object attributes.We define three variants of the ABAC model,ABAC((47)),ABAC((45)),and ABAC((39)),and provide corresponding authorization recycling methods.The main research work of this paper is described as follows:1.Authorization recycling for ABAC((47))model is proposed.Firstly,the method of cache construction based on the PDP decision is given;secondly,the SDP(Secondary Decision Point)decision rules are presented so that the SDP generate accurate or approximate responses based on the cached decision data and request;thirdly,the cache update method is introduced in detail,which simultaneously performs the cache compression to reduce redundancy;finally,we prove the SDP is safe and consistent.The ABAC((45))model is a dual model of the ABAC((47))model,and the authorization recycling method is similar.2.Authorization recycling for ABAC((39))model is proposed.The hybrid policy can lead to policy conflicts or the absence of the satisfiable policy.Firstly,the method of cache construction based on the PDP decision is given;secondly,the SDP decision rules are given,so that the SDP can generate accurate or approximate responses based on the cached decision data and request;finally,we provide an approach for cache updates in different situations.3.To evaluate the hit rate of the authorization recycling approach for the ABAC model,we conducted a small-scale experiment to test the authorization recycling method under three variants,respectively.We verified the feasibility of the approach proposed in this paper.