Relationship-based access control: More than a social network access control model

In a computer system, access control refers to the mechanisms the system use to decide whether to grant or reject access to its resources. Access control decisions in social media services, such as Facebook, Twitter, Research Gate, or LinkedIn, are determined in large part by policies that can be described in terms of the relationships among the individuals potentially affected by the decision. The premise behind a larger interest in Relationship-based Access Control (ReBAC) is that besides social media services, social and other forms of relationships can be an effective abstraction for describing and implementing access control policies. The aim of this paper is to present an overview of ReBAC from the point of view of the types of policies that have motivated the access control research community to develop different ReBAC systems. We also review and reflect on what it would take to implement and administer an ReBAC system.