S-ABAC

Role-based access control (RBAC) is the standard for organisations. Being a researcher, you have access to certain documents, apps and services, while being financial advisor you have access to another set of documents, apps and services. However, the role-based access implies “once authenticated, you have access”, which is not sufficient for today’s security praxis. As example, if someone has stolen your password, he has access to all your files. The Semantic Attribute Based Access Control (S-ABAC) adds a new dimension to the control. Not only your password might be requested, but also the network or the IP address used to connect. And, if the S-ABAC requires a connection from a given network or a given location, then, even though your password is correctly used, the attacker does not get access.

A Semantic Attribute based access control provides the means for different actors having access to different types of information of a system. The former notation of Role-based access control (RBAC) is extended, where "role" is one attribute deciding on the access. As an example, your data of your "heat pump" (energy efficiency) are of interest for a) the house owner, b) the manufacturer, c) the municipalities, d) the maintenance company, e) the person renting the flat, f) the energy distributor. Which data (e.g. statistical) and who has access (attribute: grade of access: monitor, control, configure) might be subject to a security and privacy analysis (attribute: required security level). S-ABAC is seen as tool to provide the functionality, but needs R&I to become usable in a distributed cloud.

Potential output
These software components would form the S-ABAC-framework and would include components like policy definition endpoint and tool including Semantic concepts, policy enforcement point, Attribute management point, etc.
 * Ontologies related to Access Control for the specific domains
 * methodology and technology description for how to include semantic specifications, i.e., the above mentioned ontologies, in the ABAC model.
 * software implementation of a S-ABAC engine that would extend existing ABAC engine/framework with semantic reasoning tools and ontology editing capabilities.