MANDATORY ROLE-CENTRIC ATTRIBUTE-BASED ACCESS CONTROL MODEL FOR LARGE-SCALE INFORMATION SYSTEMS

Authors

  • D. О. Larin General of the Army S.M. Shtemenko Krasnodar Higher Military School
  • R.I. Zaharchenko General of the Army S.M. Shtemenko Krasnodar Higher Military School
  • S.А. Dichenko General of the Army S.M. Shtemenko Krasnodar Higher Military School

DOI:

https://doi.org/10.18522/2311-3103-2026-1-%25p

Keywords:

Attribute-based access control, role-based access control, mandatory access control, access control model, MRABAC, confidentiality, availability

Abstract

In the context of the rapid development of national-scale information systems and their evolution into digital ecosystems, new requirements are imposed on the process of ensuring the security of the information processed within them. These requirements include enhancing information availability in user access management while maintaining the required level of confidentiality, and making access decisions to resources based on multiple factors. To meet these requirements, numerous compositional access control models based on roles and attributes have been proposed previously, which have resolved several pressing issues while maintaining administrative convenience and providing flexibility and scalability without role explosion. However, known models still have a significant limitation – the impossibility of their use in information systems where high-sensitivity data is processed. The aim of the study is to develop, within the framework of the subject-object approach methodology in information security theory, a new mandatory role-centric attribute-based access control (MRABAC) model, as well as its formal description using the mathematical apparatus of automata theory. The use of the model will enable dynamic prevention of unauthorized information flows from high-confidentiality objects to low-confidentiality objects during the restriction of the permission set assigned to a role, through the implementation of mandatory access control via a separate attribute-based policy, while preserving the ability to provide users with fine-grained access based on contextual attributes. The application of the model may be particularly useful in large-scale information systems where information of various confidentiality levels is processed simultaneously, and, due to operational characteristics, attribute-based access control is necessary

References

1. Bogachenko N.F. Analiz problem upravleniya razgranicheniem dostupa v krupnomasshtabnykh infor-matsionnykh sistemakh [Analysis of problems of access control management in large-scale information systems], Matematicheskie struktury i modelirovanie [Mathematical Structures and Modeling], 2018, No. 2 (46), pp. 135-152. DOI: 10.25513/2222-8772.2018.2.135-152. EDN: UZQFKY.

2. Harrison M., Ruzzo W., Ullman J. Protection in operating systems, Communication of ACM, 1976,

19 (8), pp. 461-471. DOI: 10.1145/360303.360333.

3. Bell D.E., LaPadula L.J. Secure Computer Systems: Mathematical Foundations, MITRE, 1973. Tech-nical Report 2547, Vol. I, pp. 33.

4. Sandhu R., Ferraiolo D., Kuhn R. The NIST model for role-based access control: towards a unified standard, Proceedings of the Fifth ACM Workshop on Role-Based Access Control (RBAC '00). ACM, Berlin, 2000, pp. 47-63. DOI: 10.1145/344287.344301.

5. Devyanin P.N. Rolevaya DP-model' upravleniya dostupom i informatsionnymi potokami v oper-atsionnykh sistemakh semeystva Linux [Role-based DP-model for managing access and information flows in Linux operating systems], Prikladnaya diskretnaya matematika [Applied Discrete Mathemat-ics], 2012, No. 1 (15), pp. 69-90. EDN: OXBJYD.

6. Devyanin P.N. Patent RF 2525481, MPK G06F 21/62. Sposob obespecheniya bezopasnosti infor-matsionnykh potokov v zashchishchennykh informatsionnykh sistemakh s mandatnym i rolevym uprav-leniem dostupom [Patent RF 2525481, IPC G06F 21/62. Method of securing information flow in secure information systems with mandatory and role-based access control]. Application 2012146550/08, filed November 1, 2012, published August 20, 2014.

7. Ferraiolo D., Chandramouli R., Hu V., Kuhn R. A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications. NIST.SP.800-178. Gaithersburg, MD, 2016, 68 p.

8. GOST R 59383-2021. Informatsionnye tekhnologii. Metody i sredstva obespecheniya bezopasnosti. Osnovy upravleniya dostupom [GOST R 59383-2021. Information technologies. Methods and tools of ensuring security. Fundamentals of access control]. Moscow: Standartinform, 2021, 35 p.

9. Kuhn D.R., Coyne E.J., Weil T.R. Adding Attributes to Role-Based Access Control, IEEE Computer, 2010, 43 (6), pp. 79-81. DOI: 10.1109/MC.2010.155.

10. Rukovodyashchiy dokument. Avtomatizirovannye sistemy. Zashchita ot nesanktsionirovannogo dostupa k informatsii. Klassifikatsiya avtomatizirovannykh sistem i trebovaniya po zashchite informatsii: utv. resheniem predsedatelya GTK pri Prezidente RF ot 30.03.1992 [Guidance document. Automated sys-tems. Protection against unauthorized access to information. Classification of automated systems and in-formation protection requirements: approved by the decision of the Chairman of the State Customs Committee under the President of the Russian Federation dated March 30, 1992]. FSTEK Rossii, 1992, 25 p.

11. Requirements for the protection of information that does not constitute a state secret, contained in state information systems: approved. by Order of the FSTEC of Russia dated 11.02.2013 No. 17 [Require-ments for the protection of information that does not constitute a state secret contained in state infor-mation systems: approved by Order of the Federal Service for Technical and Export Control of Russia dated February 11, 2013, No. 17]. FSTEC of Russia, 2013, 42 p.

12. Jin X., Krishnan R., Sandhu R. A unified attribute-based access control model covering DAC, MAC and RBAC, Data and Applications Security and Privacy XXVI (DBSec 2012). Lecture Notes in Computer Science, Vol. 7371. Springer, Berlin, Heidelberg, 2012, pp. 41-55. DOI: 10.1007/978-3-642-31540-4_4.

13. Kerr L., Alves-Foss J. Combining mandatory and attribute-based access control, 49th Hawaii Interna-tional Conference on System Sciences (HICSS). IEEE, Koloa, HI, 2016, pp. 2616-2623. DOI: 10.1109/HICSS.2016.328.

14. Jin X., Krishnan R., Sandhu R. RABAC: role-centric attribute-based access control, Computer Network Security (MMM-ACNS 2012). Lecture Notes in Computer Science, Vol. 7531. Springer, Berlin, Heidel-berg, 2012, pp. 84-96. DOI: 10.1007/978-3-642-33704-8_8.

15. Rajpoot Q.M., Jensen C.D., Krishnan R. Attributes Enhanced Role-Based Access Control Model, Pro-ceedings of the 12th International Conference on Trust, Privacy and Security in Digital Business (TrustBus’15). Springer, Cham, 2015, pp. 3-17. DOI: 10.1007/978-3-319-22906-5_1.

16. Qi H., Di X., Li J. Formal definition and analysis of access control model based on role and attribute, Journal of information security and applications, 2018, Vol. 43, pp. 53-60. DOI: 10.1016/j.jisa.2018.09.001.

17. Houhou O., Bitam S., Hamida A. HYARBAC: a new hybrid access control model for cloud computing, International Journal of Computing and Digital Systems, 2024, Vol. 15, No. 1, pp. 403-414. DOI: 10.12785/ijcds/150131.

18. Shahraki A.S., Rudolph C., Alavizadeh H. et al. Securing cross-domain data access with decentralized attribute-based access control, Ad Hoc Networks, 2025, Vol. 173, 103807, pp. 1-15. DOI: 10.1016/j.adhoc.2025.103807.

19. Devyanin P.N., Kulyamin V.V., Petrenko A.K. [i dr.]. Integratsiya mandatnogo i rolevogo upravleniya dostupom i mandatnogo kontrolya tselostnosti v verifitsirovannoy ierarkhicheskoy modeli bezopasnosti operatsionnoy sistemy [Integrating RBAC, MIC, and MLS in Verified Hierarchical Security Model for Operating System], Tr. ISP RAN [Proceedings of the Institute for System Programming of the RAS], 2020, Vol. 32, No. 1, pp. 7-26. DOI: 10.15514/ISPRAS-2020-32(1)-1. EDN: WSVFME.

20. Devyanin P.N. Modeli bezopasnosti komp'yuternykh sistem. Upravlenie dostupom i informatsionnymi potokami [Computer system security models. Access and information flow control]. 3rd ed. Moscow: Goryachaya liniya – Telekom, 2024, 352 p.

21. Khopkroft D.E., Motvani R., Ul'man D. Vvedenie v teoriyu avtomatov, yazykov i vychisleniy [Introduc-tion to automata theory, languages, and computation]. Moscow: Izdatel'skiy dom Vil'yams, 2008, 528 p.

22. Sandhu R. Role-based access control, Advances in Computers, 1998, 46, pp. 237-286. DOI: 10.1016/S0065-2458(08)60206-5.

23. Larin D.O. Svidetel'stvo o gosudarstvennoy registratsii programmy dlya EVM № 2025687752, Ros-siyskaya Federatsiya. Programmnyy modul' nabora politik mandatnogo atributivno-rolevogo upravleniya dostupom v krupnomasshtabnykh informatsionnykh sistemakh [Certificate of state registration of a computer program No. 2025687752 RF. A software module for a set of mandatory role-centric attribute-based access control policies in large-scale information systems]. Announced October 9, 2025, published October 15, 2025. EDN: RNTBUM.

24. Larin D.O., Zakharchenko R.I., Dichenko S.A. Patent na izobretenie RF 2847174, MPK G06F 21/62. Sposob obespecheniya konfidentsial'nosti informatsii v geterogennykh krupnomasshtabnykh raspre-delennykh informatsionnykh sistemakh s atributivnym upravleniem dostupom [Patent RF 2847174, IPC G06F 21/62. Method for ensuring information confidentiality in heterogeneous large-scale distributed in-formation systems with attribute-based access control]. Application 2025112755, submitted May 12, 2025, published September 29, 2025. EDN: EFYGAL.

Downloads

Published

2026-02-27

Issue

No. 1 (2026)

Section

SECTION II. DATA ANALYSIS, MODELING AND CONTROL