Literature Review on Access Control Models in Software Architecture

[1] S. Parkinson and S. Khan, “A Survey on Empirical Security Analysis of Access-control Systems: A Real-world Perspective,” ACM Comput. Surv., vol. 55, no. 6, pp. 1–28, Jul. 2022, doi: 10.1145/3533703.
[2] S. M. Awan, M. A. Azad, J. Arshad, U. Waheed, and T. Sharif, “A Blockchain-Inspired Attribute-Based Zero-Trust Access Control Model for IoT,” Inf., vol. 14, no. 2, p. 129, Feb. 2023, doi: 10.3390/info14020129.
[3] R. S. Sandhu and P. Samarati, “Access Control: Principles and Practice,” IEEE Commun. Mag., vol. 32, no. 9, pp. 40–48, Sep. 1994, doi: 10.1109/35.312842.
[4] J. Moffett, M. Sloman, and K. Twidle, “Specifying discretionary access control policy for distributed systems,” Comput. Commun., vol. 13, no. 9, pp. 571–580, Nov. 1990, doi: 10.1016/0140-3664(90)90008-5.
[5] R. S. Sandhu, “Lattice-Based Access Control Models,” Computer (Long. Beach. Calif)., vol. 26, no. 11, pp. 9–19, Nov. 1993, doi: 10.1109/2.241422.
[6] R. S. Sandhu, “Role-based Access Control,” in Advances in computers, vol. 46, Elsevier, 1998, pp. 237–286. doi: 10.1016/S0065-2458(08)60206-5.
[7] V. C. Hu, D. R. Kuhn, and D. F. Ferraiolo, “Attribute-based access control,” Computer (Long. Beach. Calif)., vol. 48, no. 2, pp. 85–88, Feb. 2015, doi: 10.1109/MC.2015.33.
[8] M. Zviran and Z. Erlich, “Identification and Authentication: Technology and Implementation Issues,” Commun. Assoc. Inf. Syst., vol. 17, no. 1, p. 4, 2006, doi: 10.17705/1cais.01704.
[9] M. Penelova, “Access Control Models,” Cybern. Inf. Technol., vol. 21, no. 4, pp. 77–104, Dec. 2021, doi: 10.2478/cait-2021-0044.
[10] J. Park and R. Sandhu, “Towards usage control models: Beyond traditional access control,” in Proceedings of ACM Symposium on Access Control Models and Technologies (SACMAT 2002), New York, NY, USA: ACM, Jun. 2002, pp. 57–64. doi: 10.1145/507721.507722.
[11] S. Kirrane, A. Mileo, and S. Decker, “Access control and the Resource Description Framework: A survey,” Semant. Web, vol. 8, no. 2, pp. 311–352, Dec. 2017, doi: 10.3233/SW-160236.
[12] J. Qiu, Z. Tian, C. Du, Q. Zuo, S. Su, and B. Fang, “A survey on access control in the age of internet of things,” IEEE Internet Things J., vol. 7, no. 6, pp. 4682–4696, Jun. 2020, doi: 10.1109/JIOT.2020.2969326.
[13] F. Cai, N. Zhu, J. He, P. Mu, W. Li, and Y. Yu, “Survey of access control models and technologies for cloud computing,” Cluster Comput., vol. 22, no. S3, pp. 6111–6122, May 2019, doi: 10.1007/s10586-018-1850-7.
[14] M. U. Aftab et al., “Traditional and Hybrid Access Control Models: A Detailed Survey,” Secur. Commun. Networks, vol. 2022, pp. 1–12, Feb. 2022, doi: 10.1155/2022/1560885.
[15] M. U. Aftab et al., “A Hybrid Access Control Model with Dynamic COI for Secure Localization of Satellite and IoT-Based Vehicles,” IEEE Access, vol. 8, pp. 24196–24208, 2020, doi: 10.1109/ACCESS.2020.2969715.
[16] M. Sookhak, F. R. Yu, M. K. Khan, Y. Xiang, and R. Buyya, “Attribute-based data access control in mobile cloud computing: Taxonomy and open issues,” Futur. Gener. Comput. Syst., vol. 72, pp. 273–287, Jul. 2017, doi: 10.1016/j.future.2016.08.018.
[17] V. C. Hu et al., “Guide to attribute based accesscontrol (abac) definition and considerations,” Citeseer, Gaithersburg, MD, Jan. 2014. doi: 10.6028/NIST.SP.800-162.
[18] D. F. Ferraiolo, R. Chandramouli, V. C. Hu, and D. R. R. Kuhn, “A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications,” Gaithersburg, MD, Oct. 2016. doi: 10.6028/NIST.SP.800-178.
[19] Q. M. Rajpoot, C. D. Jensen, and R. Krishnan, “Integrating attributes into role-based access control,” in Data and Applications Security and Privacy XXIX: 29th Annual IFIP WG 11.3 Working Conference, DBSec 2015, Fairfax, VA, USA, July 13-15, 2015, Proceedings 29, Springer, 2015, pp. 242–249. doi: 10.1007/978-3-319-20810-7_17.
[20] Q. M. Rajpoot, C. D. Jensen, and R. Krishnan, “Attributes enhanced role-based access control model,” in Trust, Privacy and Security in Digital Business: 12th International Conference, TrustBus 2015, Valencia, Spain, September 1-2, 2015, Proceedings 12, Springer, 2015, pp. 3–17. doi: 10.1007/978-3-319-22906-5_1.
[21] Y. Xu, W. Gao, Q. Zeng, G. Wang, J. Ren, and Y. Zhang, “A Feasible Fuzzy-Extended Attribute-Based Access Control Technique,” Secur. Commun. Networks, vol. 2018, pp. 1–11, Jun. 2018, doi: 10.1155/2018/6476315.
[22] B. Jiang, Q. He, M. He, Z. Zhai, and B. Zhao, “FACSC: Fine-Grained Access Control Based on Smart Contract for Terminals in Software-Defined Network,” Secur. Commun. Networks, vol. 2023, pp. 1–13, May 2023, doi: 10.1155/2023/6013270.
[23] X. Jin, R. Krishnan, and R. Sandhu, “A unified attribute-based access control model covering DAC, MAC and RBAC,” in Data and Applications Security and Privacy XXVI: 26th Annual IFIP WG 11.3 Conference, DBSec 2012, Paris, France, July 11-13, 2012. Proceedings 26, Springer, 2012, pp. 41–55. doi: 10.1007/978-3-642-31540-4_4.
[24] D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli, “Proposed NIST Standard for Role-Based Access Control,” ACM Trans. Inf. Syst. Secur., vol. 4, no. 3, pp. 224–274, Aug. 2001, doi: 10.1145/501978.501980.
[25] J. S. Park, R. Sandhu, and G. J. Ahn, “Role-Based Access Control on the Web,” ACM Trans. Inf. Syst. Secur., vol. 4, no. 1, pp. 37–71, Feb. 2001, doi: 10.1145/383775.383777.
[26] B. Carminati, E. Ferrari, and A. Perego, “Rule-based access control for social networks,” in On the Move to Meaningful Internet Systems 2006: OTM 2006 Workshops: OTM Confederated International Workshops and Posters, AWeSOMe, CAMS, COMINF, IS, KSinBIT, MIOS-CIAO, MONET, OnToContent, ORM, PerSys, OTM Academy Doctoral Consortium, RDDS, SWWS, and SeB, Springer, 2006, pp. 1734–1744. doi: 10.1007/11915072_80.
[27] M. A. Al-Kahtani and R. Sandhu, “Induced role hierarchies with attribute-based RBAC,” in Proceedings of the eighth ACM symposium on Access control models and technologies, New York, NY, USA: ACM, Jun. 2003, pp. 142–148. doi: 10.1145/775412.775430.
[28] E. Bertino, P. A. Bonatti, and E. Ferrari, “TRBAC: a temporal role-based access control model,” in Proceedings of the fifth ACM workshop on Role-based access control, New York, NY, USA: ACM, Jul. 2000, pp. 21–30. doi: 10.1145/344287.344298.
[29] E. Uzun et al., “Analyzing temporal role based access control models,” in Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT, New York, NY, USA: ACM, Jun. 2012, pp. 177–186. doi: 10.1145/2295136.2295169.
[30] V. Takalkar and P. N. Mahalle, “Trust-Based Access Control in Multi-role Environment of Online Social Networks,” Wirel. Pers. Commun., vol. 100, no. 2, pp. 391–399, May 2018, doi: 10.1007/s11277-017-5078-2.
[31] B. Gwak, J. H. Cho, D. Lee, and H. Son, “TARAS: Trust-Aware Role-Based Access Control System in Public Internet-of-Things,” in Proceedings - 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications and 12th IEEE International Conference on Big Data Science and Engineering, Trustcom/BigDataSE 2018, IEEE, Aug. 2018, pp. 74–85. doi: 10.1109/TrustCom/BigDataSE.2018.00022.
[32] S. Vahabli and R. Ravanmehr, “A novel trust-based access control for social networks using fuzzy systems,” World Wide Web, vol. 22, no. 6, pp. 2241–2265, Nov. 2019, doi: 10.1007/s11280-019-00668-y.
[33] I. Ray, M. Kumar, and L. Yu, “LRBAC: A location-aware role-based access control model,” in Information Systems Security: Second International Conference, ICISS 2006, Kolkata, India, December 19-21, 2006. Proceedings 2, Springer, 2006, pp. 147–161. doi: 10.1007/11961635_10.
[34] M. Uddin, S. Islam, and A. Al-Nemrat, “A Dynamic Access Control Model Using Authorising Workflow and Task-Role-Based Access Control,” IEEE Access, vol. 7, pp. 166676–166689, 2019, doi: 10.1109/ACCESS.2019.2947377.
[35] N. Solanki, Y. Huang, I. L. Yen, F. Bastani, and Y. Zhang, “Resource and Role Hierarchy Based Access Control for Resourceful Systems,” in Proceedings - International Computer Software and Applications Conference, IEEE, Jul. 2018, pp. 480–486. doi: 10.1109/COMPSAC.2018.10280.
[36] T. Y. Lin, “Managing information flows on discretionary access control models,” in Conference Proceedings - IEEE International Conference on Systems, Man and Cybernetics, IEEE, Oct. 2006, pp. 4759–4762. doi: 10.1109/ICSMC.2006.385057.
[37] S. Osborn, R. Sandhu, and Q. Munawer, “Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies,” ACM Trans. Inf. Syst. Secur., vol. 3, no. 2, pp. 85–106, May 2000, doi: 10.1145/354876.354878.
[38] R. Kumar and R. Tripathi, “Scalable and secureaccess control policy for healthcare system using blockchain and enhanced Bell–LaPadula model,” J. Ambient Intell. Humaniz. Comput., vol. 12, no. 2, pp. 2321–2338, Feb. 2021, doi: 10.1007/s12652-020-02346-8.
[39] L. Guo, X. Yang, and W. C. Yau, “TABE-DAC: Efficient Traceable Attribute-Based Encryption Scheme with Dynamic Access Control Based on Blockchain,” IEEE Access, vol. 9, pp. 8479–8490, 2021, doi: 10.1109/ACCESS.2021.3049549.
[40] S. Khare and A. Badholia, “BLA2C2: Design of a Novel Blockchain-based Light-Weight Authentication & Access Control Layer for Cloud Deployments,” Int. J. Recent Innov. Trends Comput. Commun., vol. 11, no. 3, pp. 283–294, Apr. 2023, doi: 10.17762/ijritcc.v11i3.6359.
[41] M. A. Madani, A. Kerkri, and M. Aissaoui, “MC-ABAC: An ABAC-based Model for Collaboration in Multi-Cloud Environment,” Int. J. Adv. Comput. Sci. Appl., vol. 14, no. 6, pp. 1182–1190, 2023, doi: 10.14569/IJACSA.2023.01406126.
[42] J. Luo, H. Wang, X. Gong, and T. Li, “A Novel Role-based Access Control Model in Cloud Environments,” Int. J. Comput. Intell. Syst., vol. 9, no. 1, pp. 1–9, 2016, doi: 10.1080/18756891.2016.1144149.
[43] C. Uikey and D. S. Bhilare, “RBACA: Role-based access control architecture for multi-domain cloud environment,” Int. J. Bus. Inf. Syst., vol. 28, no. 1, pp. 1–17, 2018, doi: 10.1504/IJBIS.2018.091160.
[44] A. Singh, A. Kumar, and S. Namasudra, “DNACDS: Cloud IoE big data security and accessing scheme based on DNA cryptography,” Front. Comput. Sci., vol. 18, no. 1, p. 181801, Feb. 2024, doi: 10.1007/s11704-022-2193-3.
[45] J. Guo, C. Tian, X. Lu, L. Zhao, and Z. Duan, “Multi-keyword ranked search with access control for multiple data owners in the cloud,” J. Inf. Secur. Appl., vol. 82, p. 103742, May 2024, doi: 10.1016/j.jisa.2024.103742.
[46] C. Daudén-Esmel, J. Castellà-Roca, and A. Viejo, “Blockchain-based access control system for efficient and GDPR-compliant personal data management,” Comput. Commun., vol. 214, pp. 67–87, Jan. 2024, doi: 10.1016/j.comcom.2023.11.017.
[47] A. Thakare, E. Lee, A. Kumar, V. B. Nikam, and Y. G. Kim, “PARBAC: Priority-Attribute-Based RBAC Model for Azure IoT Cloud,” IEEE Internet Things J., vol. 7, no. 4, pp. 2890–2900, Apr. 2020, doi: 10.1109/JIOT.2019.2963794.
[48] M. Alam, N. Emmanuel, T. Khan, Y. Xiang, and H. Hassan, “Garbled role-based access control in the cloud,” J. Ambient Intell. Humaniz. Comput., vol. 9, no. 4, pp. 1153–1166, Aug. 2018, doi: 10.1007/s12652-017-0573-6.
[49] R. Zhang, G. Liu, S. Li, Y. Wei, and Q. Wang, “ABSAC: Attribute-based access control model supporting anonymous access for smart cities,” Secur. Commun. Networks, vol. 2021, pp. 1–11, Mar. 2021, doi: 10.1155/2021/5531369.
[50] N. Kaaniche and M. Laurent, “Attribute-based signatures for supporting anonymous certification,” in Computer Security–ESORICS 2016: 21st European Symposium on Research in Computer Security, Heraklion, Greece, September 26-30, 2016, Proceedings, Part I 21, Springer, 2016, pp. 279–300. doi: 10.1007/978-3-319-45744-4_14.
[51] B. Wang, W. Li, and N. N. Xiong, “Time-Based Access Control for Multi-attribute Data in Internet of Things,” Mob. Networks Appl., vol. 26, no. 2, pp. 797–807, Apr. 2021, doi: 10.1007/s11036-019-01327-2.
[52] M. U. Aftab et al., “Negative Authorization by Implementing Negative Attributes in Attribute-Based Access Control Model for Internet of Medical Things,” in Proceedings - 15th International Conference on Semantics, Knowledge and Grids: On Big Data, AI and Future Interconnection Environment, SKG 2019, IEEE, Sep. 2019, pp. 167–174. doi: 10.1109/SKG49510.2019.00036.
[53] S. F. Aghili, M. Sedaghat, D. Singelée, and M. Gupta, “MLS-ABAC: Efficient Multi-Level Security Attribute-Based Access Control scheme,” Futur. Gener. Comput. Syst., vol. 131, pp. 75–90, Jun. 2022, doi: 10.1016/j.future.2022.01.003.
[54] V. Karnatak, A. K. Mishra, N. Tripathi, M. Wazid, J. Singh, and A. K. Das, “A secure signature‐based access control and key management scheme for fog computing‐based IoT‐enabled big data applications,” Secur. Priv., vol. 7, no. 2, p. e353, Mar. 2024, doi: 10.1002/spy2.353.
[55] A. I. Abdi et al., “Hierarchical Blockchain-Based Multi-Chaincode Access Control for Securing IoT Systems,” Electron., vol. 11, no. 5, p. 711, Feb. 2022, doi: 10.3390/electronics11050711.
[56] L. Wu and J. Du, “Designing novel proxy-based access control scheme for implantable medical devices,” Comput. Stand. Interfaces, vol. 87, p. 103754, Jan. 2024, doi: 10.1016/j.csi.2023.103754.
[57] S. Saha, A. K. Das, M. Wazid, Y. Park, S. Garg, and M. Alrashoud, “Smart Contract-Based Access Control Scheme for Blockchain Assisted 6G-Enabled IoT-Based Big Data Driven Healthcare Cyber Physical Systems,” IEEE Trans. Consum. Electron., pp. 1–1, 2024, doi: 10.1109/TCE.2024.3391667.
[58] S. Long and L. Yan, “RACAC: An Approach toward RBAC and ABAC Combining Access Control,” in 2019 IEEE 5th International Conference on Computer and Communications, ICCC 2019, IEEE, Dec. 2019, pp. 1609–1616. doi: 10.1109/ICCC47050.2019.9064301.
[59] M. U. Aftab et al., “Permission-Based Separation of Duty in Dynamic Role-Based Access Control Model,” Symmetry (Basel)., vol. 11, no. 5, p. 669, May 2019, doi: 10.3390/sym11050669.
[60] J. Huang, D. M. Nicol, R. Bobba, and J. H. Huh, “A framework integrating attribute-based policies into role-based access control,” in Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT, New York, NY, USA: ACM, Jun. 2012, pp. 187–196. doi: 10.1145/2295136.2295170.
[61] “OWASP Top Ten.” Accessed: Jun. 26, 2024. [Online]. Available: https://owasp.org/www-project-top-ten/[62] M. Mehmood, R. Amin, M. M. A. Muslam, J. Xie, and H. Aldabbas, “Privilege Escalation Attack Detection and Mitigation in Cloud Using Machine Learning,” IEEE Access, vol. 11, pp. 46561–46576, 2023, doi: 10.1109/ACCESS.2023.3273895.
[63] E. Almushiti, R. Zaki, N. Thamer, and R. Alshaya, “An Investigation of Broken Access Control Types, Vulnerabilities, Protection, and Security,” in International Conference on Innovation of Emerging Information and Communication Technology, Springer, 2023, pp. 253–269. doi: 10.1007/978-3-031-53237-5_16.
[64] T. Xu, L. Jin, X. Fan, Y. Zhou, S. Pasupathy, and R. Talwadker, “Hey, you have given me too many knobs!: Understanding and dealing with over-designed configuration in system software,” in Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, 2015, pp. 307–319. doi: 10.1145/2786805.2786852.
[65] T. Xu and Y. Zhou, “Systems approaches to tackling configuration errors: A survey,” ACM Comput. Surv., vol. 47, no. 4, pp. 1–41, 2015, doi: 10.1145/2791577.
[66] E. Bertin, D. Hussein, C. Sengul, and V. Frey, “Access control in the Internet of Things: a survey of existing approaches and open research questions,” Ann. des Telecommun. Telecommun., vol. 74, no. 7–8, pp. 375–388, Aug. 2019, doi: 10.1007/s12243-019-00709-7.
[67] S. H. Hashemi, F. Faghri, and R. H. Campbell, “Decentralized User-Centric Access Control using PubSub over Blockchain,” arXiv Prepr. arXiv1710.00110, Sep. 2017, [Online]. Available: http://arxiv.org/abs/1710.00110
[68] K. Istiaque Ahmed, M. Tahir, M. Hadi Habaebi, S. Lun Lau, and A. Ahad, “Machine Learning for Authentication and Authorization in IoT: Taxonomy, Challenges and Future Research Direction,” Sensors, vol. 21, no. 15, p. 5122, Jul. 2021, doi: 10.3390/s21155122.
[69] S. Aboukadri, A. Ouaddah, and A. Mezrioui, “Machine learning in identity and access management systems: Survey and deep dive,” Comput. Secur., vol. 139, p. 103729, Apr. 2024, doi: 10.1016/j.cose.2024.103729.
[70] L. Zhang et al., “ACFIX: Guiding LLMs with Mined Common RBAC Practices for Context-Aware Repair of Access Control Vulnerabilities in Smart Contracts,” arXiv Prepr. arXiv2403.06838, Mar. 2024, [Online]. Available: http://arxiv.org/abs/2403.06838