ABAM: An Attribute-Based Access Matrix Model Xinwen Zhang Department of Information and Software Engineering George Mason University xzhang6@gmu.edu Yingjiu Li School of Information Systems Singapore Management University yjli@smu.edu.sg Divya Nalla School of Information Systems Singapore Management University divyanalla@smu.edu.sg August 9, 2005 Abstract In traditional access control models like mandatory access control (MAC), discretionary access con- trol (DAC), and role-based access control (RBAC), authorization decisions are determined according to the identities of subjects and objects, which are authenticated by a system completely. Recent access con- trol practices, such as digital rights management (DRM), trust management, and usage control, require flexible authorization policies. In such systems, a subject may be only partially authenticated according to one or more attributes. Authorization policies are specified with subject and object attribute values. In this paper we propose an attribute-based access matrix model, named ABAM, which extends the original access matrix model. We show that ABAM enhances the expressive power of the access matrix model by supporting attribute-based authorizations and dynamic permission propagations. Specifically, ABAM is comprehensive enough to encompass traditional access control models as well as some usage control features. As expressive power and safety are two fundamental but conflictive objectives of an access con- trol model, we study the safety property of ABAM and conclude that the safety problem is decidable for a restricted case where attribute relationship graph allows no cycles containing creating-attribute tuples. The restricted case is shown to sustain good expressive power to model practical systems. 1 Introduction Protection systems aim at protecting various resources from damage or unauthorized access, and allowing multiple users to share the same resources. A model should be defined in such a way that it is capable of expressing practical systems, most of which are dynamic. In a dynamic system, a state change can be caused by some external actions, or operations from subjects inside the system (including system administrators). In an access control system, a state is specified by a set of subjects, objects, and access control configurations which determine authorization relations between the subjects and objects. Traditionally, an state change can be happened by an administrative operation. Modern access control systems is more dynamic that an access operation of a subject can change the system state. Instead of totally authenticated subject identities in traditional access control models, recent practices like DRM, trust management, and usage control, consider partial authenticated subjects, which are specified by one or more attributes, such as role names, credit balances, locations, ages, etc. Partial authentication means that a system only requires the authentication of one or more attributes of a subject. For example, a 1