On the application of fuzzy set theory for access control enforcement

Abstract

Access control is a vital part of any computer system. When it comes to access to data, deterministic access control models such as RBAC are still widely used today, but they lack the flexibility needed to support some recent scenarios. These include scenarios where users and data can be dynamically added to a system, which emerged from IoT and big data contexts. Such scenarios include data from network operators, smart cities, etc. Thus, models that are able to adapt to these dynamic environments are necessary. Non-deterministic access control models fall into this approach, as they introduce new ways of mapping users to permissions and resources, but lack the auditing capabilities of deterministic models. In this paper, the usage of these models will be defended and argued for. In particular, a solution based on fuzzy set theory is proposed as it is thought to be able to provide some flexibility benefits of non-deterministic models, while giving some assurance to security experts that the resources are not accessed by unexpected users.