Literature Review on Access Control Models in Software Architecture

Section: Review Paper
Issue
Vol. 30 No. 1 (2025): Volume 30 Issue 1
Published
Mar 1, 2025
Pages
71-90

Abstract

In the realm of software architecture, ensuring the security of organizational assets against unauthorized access is crucial for cybersecurity. This paper conducts a comprehensive exploration of access control, traversing from traditional paradigms like DAC, MAC, RBAC, and ABAC to contemporary trends such as policy-based access control and blockchain-based access control. We categorize access control models based on their usage, considering new emerging fields like cloud computing and the Internet of Things (IoT). Finally, we acknowledge the ongoing challenges in access control and propose promising directions for future research, including the integration of blockchain and the potential of machine learning to enhance access control mechanisms.

References

  1. OWASP Top Ten. Accessed: Jun. 26, 2024. [Online]. Available: https://owasp.org/www-project-top-ten/
  2. A. I. Abdi et al., Hierarchical Blockchain-Based Multi-Chaincode Access Control for Securing IoT Systems, Electron., vol. 11, no. 5, p. 711, Feb. 2022, doi: 10.3390/electronics11050711.
  3. A. Singh, A. Kumar, and S. Namasudra, DNACDS: Cloud IoE big data security and accessing scheme based on DNA cryptography, Front. Comput. Sci., vol. 18, no. 1, p. 181801, Feb. 2024, doi: 10.1007/s11704-022-2193-3.
  4. A. Thakare, E. Lee, A. Kumar, V. B. Nikam, and Y. G. Kim, PARBAC: Priority-Attribute-Based RBAC Model for Azure IoT Cloud, IEEE Internet Things J., vol. 7, no. 4, pp. 28902900, Apr. 2020, doi: 10.1109/JIOT.2019.2963794.
  5. B. Carminati, E. Ferrari, and A. Perego, Rule-based access control for social networks, in On the Move to Meaningful Internet Systems 2006: OTM 2006 Workshops: OTM Confederated International Workshops and Posters, AWeSOMe, CAMS, COMINF, IS, KSinBIT, MIOS-CIAO, MONET, OnToContent, ORM, PerSys, OTM Academy Doctoral Consortium, RDDS, SWWS, and SeB, Springer, 2006, pp. 17341744. doi: 10.1007/11915072_80.
  6. B. Gwak, J. H. Cho, D. Lee, and H. Son, TARAS: Trust-Aware Role-Based Access Control System in Public Internet-of-Things, in Proceedings - 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications and 12th IEEE International Conference on Big Data Science and Engineering, Trustcom/BigDataSE 2018, IEEE, Aug. 2018, pp. 7485. doi: 10.1109/TrustCom/BigDataSE.2018.00022.
  7. B. Jiang, Q. He, M. He, Z. Zhai, and B. Zhao, FACSC: Fine-Grained Access Control Based on Smart Contract for Terminals in Software-Defined Network, Secur. Commun. Networks, vol. 2023, pp. 113, May 2023, doi: 10.1155/2023/6013270.
  8. B. Wang, W. Li, and N. N. Xiong, Time-Based Access Control for Multi-attribute Data in Internet of Things, Mob. Networks Appl., vol. 26, no. 2, pp. 797807, Apr. 2021, doi: 10.1007/s11036-019-01327-2.
  9. C. Daudn-Esmel, J. Castell-Roca, and A. Viejo, Blockchain-based access control system for efficient and GDPR-compliant personal data management, Comput. Commun., vol. 214, pp. 6787, Jan. 2024, doi: 10.1016/j.comcom.2023.11.017.
  10. C. Uikey and D. S. Bhilare, RBACA: Role-based access control architecture for multi-domain cloud environment, Int. J. Bus. Inf. Syst., vol. 28, no. 1, pp. 117, 2018, doi: 10.1504/IJBIS.2018.091160.
  11. D. F. Ferraiolo, R. Chandramouli, V. C. Hu, and D. R. R. Kuhn, A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications, Gaithersburg, MD, Oct. 2016. doi: 10.6028/NIST.SP.800-178.
  12. D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli, Proposed NIST Standard for Role-Based Access Control, ACM Trans. Inf. Syst. Secur., vol. 4, no. 3, pp. 224274, Aug. 2001, doi: 10.1145/501978.501980.
  13. E. Almushiti, R. Zaki, N. Thamer, and R. Alshaya, An Investigation of Broken Access Control Types, Vulnerabilities, Protection, and Security, in International Conference on Innovation of Emerging Information and Communication Technology, Springer, 2023, pp. 253269. doi: 10.1007/978-3-031-53237-5_16.
  14. E. Bertin, D. Hussein, C. Sengul, and V. Frey, Access control in the Internet of Things: a survey of existing approaches and open research questions, Ann. des Telecommun. Telecommun., vol. 74, no. 78, pp. 375388, Aug. 2019, doi: 10.1007/s12243-019-00709-7.
  15. E. Bertino, P. A. Bonatti, and E. Ferrari, TRBAC: a temporal role-based access control model, in Proceedings of the fifth ACM workshop on Role-based access control, New York, NY, USA: ACM, Jul. 2000, pp. 2130. doi: 10.1145/344287.344298.
  16. E. Uzun et al., Analyzing temporal role based access control models, in Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT, New York, NY, USA: ACM, Jun. 2012, pp. 177186. doi: 10.1145/2295136.2295169.
  17. F. Cai, N. Zhu, J. He, P. Mu, W. Li, and Y. Yu, Survey of access control models and technologies for cloud computing, Cluster Comput., vol. 22, no. S3, pp. 61116122, May 2019, doi: 10.1007/s10586-018-1850-7.
  18. I. Ray, M. Kumar, and L. Yu, LRBAC: A location-aware role-based access control model, in Information Systems Security: Second International Conference, ICISS 2006, Kolkata, India, December 19-21, 2006. Proceedings 2, Springer, 2006, pp. 147161. doi: 10.1007/11961635_10.
  19. J. Guo, C. Tian, X. Lu, L. Zhao, and Z. Duan, Multi-keyword ranked search with access control for multiple data owners in the cloud, J. Inf. Secur. Appl., vol. 82, p. 103742, May 2024, doi: 10.1016/j.jisa.2024.103742.
  20. J. Huang, D. M. Nicol, R. Bobba, and J. H. Huh, A framework integrating attribute-based policies into role-based access control, in Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT, New York, NY, USA: ACM, Jun. 2012, pp. 187196. doi: 10.1145/2295136.2295170.
  21. J. Luo, H. Wang, X. Gong, and T. Li, A Novel Role-based Access Control Model in Cloud Environments, Int. J. Comput. Intell. Syst., vol. 9, no. 1, pp. 19, 2016, doi: 10.1080/18756891.2016.1144149.
  22. J. Moffett, M. Sloman, and K. Twidle, Specifying discretionary access control policy for distributed systems, Comput. Commun., vol. 13, no. 9, pp. 571580, Nov. 1990, doi: 10.1016/0140-3664(90)90008-5.
  23. J. Park and R. Sandhu, Towards usage control models: Beyond traditional access control, in Proceedings of ACM Symposium on Access Control Models and Technologies (SACMAT 2002), New York, NY, USA: ACM, Jun. 2002, pp. 5764. doi: 10.1145/507721.507722.
  24. J. Qiu, Z. Tian, C. Du, Q. Zuo, S. Su, and B. Fang, A survey on access control in the age of internet of things, IEEE Internet Things J., vol. 7, no. 6, pp. 46824696, Jun. 2020, doi: 10.1109/JIOT.2020.2969326.
  25. J. S. Park, R. Sandhu, and G. J. Ahn, Role-Based Access Control on the Web, ACM Trans. Inf. Syst. Secur., vol. 4, no. 1, pp. 3771, Feb. 2001, doi: 10.1145/383775.383777.
  26. K. Istiaque Ahmed, M. Tahir, M. Hadi Habaebi, S. Lun Lau, and A. Ahad, Machine Learning for Authentication and Authorization in IoT: Taxonomy, Challenges and Future Research Direction, Sensors, vol. 21, no. 15, p. 5122, Jul. 2021, doi: 10.3390/s21155122.
  27. L. Guo, X. Yang, and W. C. Yau, TABE-DAC: Efficient Traceable Attribute-Based Encryption Scheme with Dynamic Access Control Based on Blockchain, IEEE Access, vol. 9, pp. 84798490, 2021, doi: 10.1109/ACCESS.2021.3049549.
  28. L. Wu and J. Du, Designing novel proxy-based access control scheme for implantable medical devices, Comput. Stand. Interfaces, vol. 87, p. 103754, Jan. 2024, doi: 10.1016/j.csi.2023.103754.
  29. L. Zhang et al., ACFIX: Guiding LLMs with Mined Common RBAC Practices for Context-Aware Repair of Access Control Vulnerabilities in Smart Contracts, arXiv Prepr. arXiv2403.06838, Mar. 2024, [Online]. Available: http://arxiv.org/abs/2403.06838
  30. M. A. Al-Kahtani and R. Sandhu, Induced role hierarchies with attribute-based RBAC, in Proceedings of the eighth ACM symposium on Access control models and technologies, New York, NY, USA: ACM, Jun. 2003, pp. 142148. doi: 10.1145/775412.775430.
  31. M. A. Madani, A. Kerkri, and M. Aissaoui, MC-ABAC: An ABAC-based Model for Collaboration in Multi-Cloud Environment, Int. J. Adv. Comput. Sci. Appl., vol. 14, no. 6, pp. 11821190, 2023, doi: 10.14569/IJACSA.2023.01406126.
  32. M. Alam, N. Emmanuel, T. Khan, Y. Xiang, and H. Hassan, Garbled role-based access control in the cloud, J. Ambient Intell. Humaniz. Comput., vol. 9, no. 4, pp. 11531166, Aug. 2018, doi: 10.1007/s12652-017-0573-6.
  33. M. Mehmood, R. Amin, M. M. A. Muslam, J. Xie, and H. Aldabbas, Privilege Escalation Attack Detection and Mitigation in Cloud Using Machine Learning, IEEE Access, vol. 11, pp. 4656146576, 2023, doi: 10.1109/ACCESS.2023.3273895.
  34. M. Penelova, Access Control Models, Cybern. Inf. Technol., vol. 21, no. 4, pp. 77104, Dec. 2021, doi: 10.2478/cait-2021-0044.
  35. M. Sookhak, F. R. Yu, M. K. Khan, Y. Xiang, and R. Buyya, Attribute-based data access control in mobile cloud computing: Taxonomy and open issues, Futur. Gener. Comput. Syst., vol. 72, pp. 273287, Jul. 2017, doi: 10.1016/j.future.2016.08.018.
  36. M. U. Aftab et al., A Hybrid Access Control Model with Dynamic COI for Secure Localization of Satellite and IoT-Based Vehicles, IEEE Access, vol. 8, pp. 2419624208, 2020, doi: 10.1109/ACCESS.2020.2969715.
  37. M. U. Aftab et al., Negative Authorization by Implementing Negative Attributes in Attribute-Based Access Control Model for Internet of Medical Things, in Proceedings - 15th International Conference on Semantics, Knowledge and Grids: On Big Data, AI and Future Interconnection Environment, SKG 2019, IEEE, Sep. 2019, pp. 167174. doi: 10.1109/SKG49510.2019.00036.
  38. M. U. Aftab et al., Permission-Based Separation of Duty in Dynamic Role-Based Access Control Model, Symmetry (Basel)., vol. 11, no. 5, p. 669, May 2019, doi: 10.3390/sym11050669.
  39. M. U. Aftab et al., Traditional and Hybrid Access Control Models: A Detailed Survey, Secur. Commun. Networks, vol. 2022, pp. 112, Feb. 2022, doi: 10.1155/2022/1560885.
  40. M. Uddin, S. Islam, and A. Al-Nemrat, A Dynamic Access Control Model Using Authorising Workflow and Task-Role-Based Access Control, IEEE Access, vol. 7, pp. 166676166689, 2019, doi: 10.1109/ACCESS.2019.2947377.
  41. M. Zviran and Z. Erlich, Identification and Authentication: Technology and Implementation Issues, Commun. Assoc. Inf. Syst., vol. 17, no. 1, p. 4, 2006, doi: 10.17705/1cais.01704.
  42. N. Kaaniche and M. Laurent, Attribute-based signatures for supporting anonymous certification, in Computer SecurityESORICS 2016: 21st European Symposium on Research in Computer Security, Heraklion, Greece, September 26-30, 2016, Proceedings, Part I 21, Springer, 2016, pp. 279300. doi: 10.1007/978-3-319-45744-4_14.
  43. N. Solanki, Y. Huang, I. L. Yen, F. Bastani, and Y. Zhang, Resource and Role Hierarchy Based Access Control for Resourceful Systems, in Proceedings - International Computer Software and Applications Conference, IEEE, Jul. 2018, pp. 480486. doi: 10.1109/COMPSAC.2018.10280.
  44. Q. M. Rajpoot, C. D. Jensen, and R. Krishnan, Attributes enhanced role-based access control model, in Trust, Privacy and Security in Digital Business: 12th International Conference, TrustBus 2015, Valencia, Spain, September 1-2, 2015, Proceedings 12, Springer, 2015, pp. 317. doi: 10.1007/978-3-319-22906-5_1.
  45. Q. M. Rajpoot, C. D. Jensen, and R. Krishnan, Integrating attributes into role-based access control, in Data and Applications Security and Privacy XXIX: 29th Annual IFIP WG 11.3 Working Conference, DBSec 2015, Fairfax, VA, USA, July 13-15, 2015, Proceedings 29, Springer, 2015, pp. 242249. doi: 10.1007/978-3-319-20810-7_17.
  46. R. Kumar and R. Tripathi, Scalable and secureaccess control policy for healthcare system using blockchain and enhanced BellLaPadula model, J. Ambient Intell. Humaniz. Comput., vol. 12, no. 2, pp. 23212338, Feb. 2021, doi: 10.1007/s12652-020-02346-8.
  47. R. S. Sandhu and P. Samarati, Access Control: Principles and Practice, IEEE Commun. Mag., vol. 32, no. 9, pp. 4048, Sep. 1994, doi: 10.1109/35.312842.
  48. R. S. Sandhu, Lattice-Based Access Control Models, Computer (Long. Beach. Calif)., vol. 26, no. 11, pp. 919, Nov. 1993, doi: 10.1109/2.241422.
  49. R. S. Sandhu, Role-based Access Control, in Advances in computers, vol. 46, Elsevier, 1998, pp. 237286. doi: 10.1016/S0065-2458(08)60206-5.
  50. R. Zhang, G. Liu, S. Li, Y. Wei, and Q. Wang, ABSAC: Attribute-based access control model supporting anonymous access for smart cities, Secur. Commun. Networks, vol. 2021, pp. 111, Mar. 2021, doi: 10.1155/2021/5531369.
  51. S. Aboukadri, A. Ouaddah, and A. Mezrioui, Machine learning in identity and access management systems: Survey and deep dive, Comput. Secur., vol. 139, p. 103729, Apr. 2024, doi: 10.1016/j.cose.2024.103729.
  52. S. F. Aghili, M. Sedaghat, D. Singele, and M. Gupta, MLS-ABAC: Efficient Multi-Level Security Attribute-Based Access Control scheme, Futur. Gener. Comput. Syst., vol. 131, pp. 7590, Jun. 2022, doi: 10.1016/j.future.2022.01.003.
  53. S. H. Hashemi, F. Faghri, and R. H. Campbell, Decentralized User-Centric Access Control using PubSub over Blockchain, arXiv Prepr. arXiv1710.00110, Sep. 2017, [Online]. Available: http://arxiv.org/abs/1710.00110
  54. S. Khare and A. Badholia, BLA2C2: Design of a Novel Blockchain-based Light-Weight Authentication & Access Control Layer for Cloud Deployments, Int. J. Recent Innov. Trends Comput. Commun., vol. 11, no. 3, pp. 283294, Apr. 2023, doi: 10.17762/ijritcc.v11i3.6359.
  55. S. Kirrane, A. Mileo, and S. Decker, Access control and the Resource Description Framework: A survey, Semant. Web, vol. 8, no. 2, pp. 311352, Dec. 2017, doi: 10.3233/SW-160236.
  56. S. Long and L. Yan, RACAC: An Approach toward RBAC and ABAC Combining Access Control, in 2019 IEEE 5th International Conference on Computer and Communications, ICCC 2019, IEEE, Dec. 2019, pp. 16091616. doi: 10.1109/ICCC47050.2019.9064301.
  57. S. M. Awan, M. A. Azad, J. Arshad, U. Waheed, and T. Sharif, A Blockchain-Inspired Attribute-Based Zero-Trust Access Control Model for IoT, Inf., vol. 14, no. 2, p. 129, Feb. 2023, doi: 10.3390/info14020129.
  58. S. Osborn, R. Sandhu, and Q. Munawer, Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies, ACM Trans. Inf. Syst. Secur., vol. 3, no. 2, pp. 85106, May 2000, doi: 10.1145/354876.354878.
  59. S. Parkinson and S. Khan, A Survey on Empirical Security Analysis of Access-control Systems: A Real-world Perspective, ACM Comput. Surv., vol. 55, no. 6, pp. 128, Jul. 2022, doi: 10.1145/3533703.
  60. S. Saha, A. K. Das, M. Wazid, Y. Park, S. Garg, and M. Alrashoud, Smart Contract-Based Access Control Scheme for Blockchain Assisted 6G-Enabled IoT-Based Big Data Driven Healthcare Cyber Physical Systems, IEEE Trans. Consum. Electron., pp. 11, 2024, doi: 10.1109/TCE.2024.3391667.
  61. S. Vahabli and R. Ravanmehr, A novel trust-based access control for social networks using fuzzy systems, World Wide Web, vol. 22, no. 6, pp. 22412265, Nov. 2019, doi: 10.1007/s11280-019-00668-y.
  62. T. Xu and Y. Zhou, Systems approaches to tackling configuration errors: A survey, ACM Comput. Surv., vol. 47, no. 4, pp. 141, 2015, doi: 10.1145/2791577.
  63. T. Xu, L. Jin, X. Fan, Y. Zhou, S. Pasupathy, and R. Talwadker, Hey, you have given me too many knobs!: Understanding and dealing with over-designed configuration in system software, in Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, 2015, pp. 307319. doi: 10.1145/2786805.2786852.
  64. T. Y. Lin, Managing information flows on discretionary access control models, in Conference Proceedings - IEEE International Conference on Systems, Man and Cybernetics, IEEE, Oct. 2006, pp. 47594762. doi: 10.1109/ICSMC.2006.385057.
  65. V. C. Hu et al., Guide to attribute based accesscontrol (abac) definition and considerations, Citeseer, Gaithersburg, MD, Jan. 2014. doi: 10.6028/NIST.SP.800-162.
  66. V. C. Hu, D. R. Kuhn, and D. F. Ferraiolo, Attribute-based access control, Computer (Long. Beach. Calif)., vol. 48, no. 2, pp. 8588, Feb. 2015, doi: 10.1109/MC.2015.33.
  67. V. Karnatak, A. K. Mishra, N. Tripathi, M. Wazid, J. Singh, and A. K. Das, A secure signaturebased access control and key management scheme for fog computingbased IoTenabled big data applications, Secur. Priv., vol. 7, no. 2, p. e353, Mar. 2024, doi: 10.1002/spy2.353.
  68. V. Takalkar and P. N. Mahalle, Trust-Based Access Control in Multi-role Environment of Online Social Networks, Wirel. Pers. Commun., vol. 100, no. 2, pp. 391399, May 2018, doi: 10.1007/s11277-017-5078-2.
  69. X. Jin, R. Krishnan, and R. Sandhu, A unified attribute-based access control model covering DAC, MAC and RBAC, in Data and Applications Security and Privacy XXVI: 26th Annual IFIP WG 11.3 Conference, DBSec 2012, Paris, France, July 11-13, 2012. Proceedings 26, Springer, 2012, pp. 4155. doi: 10.1007/978-3-642-31540-4_4.
  70. Y. Xu, W. Gao, Q. Zeng, G. Wang, J. Ren, and Y. Zhang, A Feasible Fuzzy-Extended Attribute-Based Access Control Technique, Secur. Commun. Networks, vol. 2018, pp. 111, Jun. 2018, doi: 10.1155/2018/6476315.

Authors

Ali Sohofi

Computer Engineering Department, Shahab Danesh University, Qom, Iran

ORCID
Amir Dehbashi Dezfouli

Computer Engineering Department, Shahab Danesh University, Qom, Iran

Identifiers

https://doi.org/10.33899/arej.2024.149319.1356
Download this PDF file
PDF

Statistics

How to Cite

[1]
A. Sohofi, علي, A. Dehbashi Dezfouli, and امير, “Literature Review on Access Control Models in Software Architecture”, AREJ, vol. 30, no. 1, pp. 71–90, Mar. 2025.
Crossref
Scopus
Google Scholar
Europe PMC