• ABAC
• Access Control
• Blockchain
• Distributed Ledger Technology
• Ethereum
• SSI
• XACML

Access Control systems are widely used for safeguarding resources, such as sensitive data or critical services, by regulating who can access them and under what conditions. In this thesis, we propose an advancement to traditional access control systems by integrating them with the innovative Self-Sovereign Identity paradigm. Self-Sovereign Identity (SSI) revolutionizes identity management by granting individuals complete control over their digital identities and data, free from centralized authorities. This model empowers users to securely and autonomously manage and present their identity attributes to third parties, fostering privacy, security, and trust in digital interactions. SSI utilizes decentralized technologies like blockchain to enable individuals to create, own, and manage their digital identities independently. By eliminating reliance on centralized entities, SSI enhances privacy protection, reduces the risk of identity theft, and promotes interoperability across various platforms and services. Ultimately, SSI empowers individuals to assert their identities confidently in the digital world. This thesis introduces a novel model that combines Access Control with Self-Sovereign Identity principles to enable Attribute-Based Access Control (ABAC) for decentralized identities. ABAC is a method of regulating access to resources based on the attributes associated with the entity requesting access, so potentially beyond their sole identity information. ABAC offers greater flexibility and granularity in access control compared to traditional methods. It allows organizations to define complex access policies that consider a wide range of attributes, making access decisions more context-aware and adaptive to changing circumstances.
The key point of the proposed approach is that it leverages the verifiable presentations (VPs) concept from SSI for defining the user attributes that are taken into account by the access control system to make access decisions.
VPs enable secure and tamper-proof presentation of attributes without revealing unnecessary personal information. This ensures that only relevant and necessary attributes are disclosed during access requests, preserving user privacy while still allowing for effective access control. To implement our proposal, we extend the widely adopted eXtensible Access Control Markup Language (XACML) standard. XACML is a standard defining a policy language used to express access control rules and conditions, as well as a reference architecture to enforce such policies. Our extension allows the resource provider to specify, within the Access Control policy, which issuers (entities that issue verifiable credentials) and claims (pieces of information about the subject) are considered trusted for deriving the subject attributes required for policy evaluation. This enhances the flexibility and interoperability of our solution, as it can accommodate a variety of identity providers and credential types. Furthermore, we present a prototype implementation of our proposal, demonstrating how the distributed ledger can be integrated with the Access Control system to support the verification and extraction of attributes from VPs.
In the last part of this thesis, we provide an evaluation of the performance of our solution, assessing its efficiency and scalability, and discuss the advantages and limitations of our proposal compared to traditional Access Control solutions. By combining Access Control with Self-Sovereign Identity principles and leveraging verifiable presentations and distributed ledger technology, our proposed model offers enhanced security, privacy, and user control over their own data, paving the way for more secure and decentralized systems in the digital age.