Towards an Attribute Based Constraints Specification Language

Recently, attribute based access control (ABAC) has received considerable attention from the security community for its policy flexibility and dynamic decision making capabilities. In ABAC, authorization decisions are based on various attributes of entities involved in the access (e.g., users, subjects, objects, context, etc.). In an ABAC system, correct attribute assignment to different entities is necessary for ensuring appropriate access. Although considerable research has been conducted on ABAC, so far constraints specification on attribute assignment to entities has not been systematically studied in the literature. In this paper, we propose an attribute-based constraints specification language(ABCL) for expressing a variety of constraints on values that different attributes of various entities in the system can take. ABCL can be used to specify constraints on a single attribute or across multiple attributes of a particular entity. Furthermore, constraints on attributes assignment across multiple entities (e.g., attributes of different users) can also be specified. Finally, we demonstrate the usefulness of ABCL in practical usage scenarios including banking domains.