Enhancing the Wordpress System: from Role to Attribute-Based Access Control

Lifeng Cao; Jia Ying Ou; Amirhossein Chinaei

doi:10.5121/ijnsa.2019.11301

Volume 11, Number 3

Enhancing the Wordpress System: from Role to Attribute-Based Access Control

Authors

Lifeng Cao, Jia Ying Ou and Amirhossein Chinaei, York University, Canada

Abstract

Role-Based Access Control (RBAC) is the most commonly used model on web applications. The advantages of RBAC are the ease of understanding, applying and managing privileges. The static RBAC model cannot alter access permission in real-time without human involvement and therefore the model suffers from increasing false negative (and/or false positive) outcomes. Hence, the Attribute-Based Access Control (ABAC) model has been proposed to introduce dynamicity and minimize human involvement in order to enhance security. WordPress is a very popular Role-Based content management system. To our best knowledge, no solution to merge from RBAC to ABAC model for WordPress applications has been found. Our contribution is a WordPress plug-in that we have developed to build ABAC upon the existing RBAC setups. In this journey, we have investigated various scenarios by studying different application categories to come up with an enhanced automatic model that adds real-time grant and revoke feature to WordPress

Keywords

Role-Base-Access-Control, Attribute-Base-Access-Control, WordPress, Content Management, Security