Attribute-based access control (ABAC) models are widely used to provide fine-grained and adaptable authorization based on the attributes of users, resources, and other relevant entities. Hierarchial group and attribute based access control (HGABAC) model was recently proposed which introduces the novel notion of attribute inheritance through group membership. GURAG was subsequently proposed to provide an administrative model for user attributes in HGABAC, building upon the ARBAC97 and GURA administrative models. The GURA model uses administrative roles to manage user attributes. The reachability problem for the GURA model is to determine what attributes a particular user can acquire, given a predefined set of administrative rules. This problem has been previously analyzed in the literature. In this paper, we study the user attribute reachability problem based on directly assigned attributes of the user and attributes inherited via group memberships. We first define a restricted form of GURAG, called rGURAG scheme, as a state transition system with multiple instances having different preconditions and provide reachability analysis for each of these schemes. In general, we show PSPACE-complete complexity for all rGURAG schemes. We further present polynomial time algorithms to solve special instances of rGURAG schemes under restricted conditions.

翻译：基于属性的出入控制模式(ABAC)被广泛用来根据用户、资源和其他相关实体的属性提供细微的和可调整的授权。最近提出了基于等级的集团和属性的入口控制模式(HGABAC),其中引入了通过群体成员身份的属性继承的新概念。后来又提议GURAG为HGABAC的用户属性提供一个行政模式,以ARBAC97和GURA的行政模式为基础。GURA模式利用行政作用管理用户属性。GURA模式的可访问性问题在于根据一套预先界定的行政规则确定特定用户的属性。这个问题以前已在文献中分析过。我们在本文件中,我们研究了基于用户直接分配的属性和通过群体成员身份继承的属性的用户属性的可归属问题。我们首先界定了GURAG的限制性形式,称为RGURAG办法,作为具有不同先决条件的多种情况的国家过渡系统,并为这些办法中的每一种办法提供可访问性分析。我们一般地表明,所有REACE的用户可获得性是所有RGURAG计划的精密性。我们根据特殊时间框架将限制的磁测算。