Skip to Main Content
The concept of risk-based adaptive access control (RAdAC, pronounced Raid-ack) has been recently introduced in the literature. It seeks to automatically (or semi-automatically) adjust security risk for providing access to resources accounting for operational needs, risk factors and situational factors. In order to make progress in this arena we need abstract models analogous to those that underlie the sustained and successful practice of discretionary, mandatory and role-based access control. Such models define a formal structure and components for policy specifications, while allowing for a variety of enforcement architectures and detailed implementation. In this paper we develop a novel approach to capture these characteristics of RAdAC using attribute-based access control. We further show that this RAdAC model can be expressed in the UCON usage control model with suitable extensions, and discuss how other UCON elements not used in this construction could beneficially improve the RAdAC vision.