CaACBIM: A Context-aware Access Control Model for BIM

Abstract

A building information model (BIM) is of upmost importance with a full life-time cycle in architecture engineering and construction industry. Smart construction relies on BIM to manipulate information flow, data flow, and management flow. Currently, BIM has been explored mainly for information construction and utilization, but there exist few works concerning information security, e.g., audits of critical models and exposure of sensitive models. Moreover, few BIM systems have been proposed to make use of new computing paradigms, such as mobile cloud computing, blockchain and Internet of Things. In this paper, we propose a Context-aware Access Control (CaAC) model for BIM systems on mobile cloud architectures. BIM data can be confidentially accessed according to contexts in a fine-grained manner. We describe functions of CaAC formally by illustrating location-aware access control and time-aware access control. CaAC model can outperform role-based access control for preventing BIM data leakage by distinguishing contexts. In addition, grouping algorithms are also presented for flexibility, in which basic model (user grouping based on user role permissions) and advanced model (user grouping based on user requests) are differentiated. Compared with the traditional role-based access control model, security and feasibility of CaAC are remarkably improved by distinguishing an identical role with multiple contexts. The average efficiency is improved by $2n/(2n-p-q)$, and time complexity is $O\left(n\right)$.

1. Introduction

BIM (Building Information Model) has been envisioned as a key approach for smart construction, such as construction automation, construction supply chain management, building information exchange, and building data sharing [1,2]. BIM can provide a uniform presentation, data framework, and organizing architecture to enable Information and Communication Technology (ICT) to manage the full life-time information of a building in smart construction. BIM information can be accessed to facilitate engineering procedures such as design, construction, maintenance, re-construction, and even destruction [3,4,5].

The recent ICT architecture for BIM applications is usually traditional client/server mode or single work station mode. It is worth noting that mobile cloud computing becomes pervasive in current personal computing. For example, cloud servers provide storage for the large volume of BIM data, which can be accessed remotely. Mobile computing devices help designers, monitors, construction workers or suppliers access BIM information in cloud servers, any time and anywhere. The BIM cloud can greatly shorten information accessing delay, and make BIM information available to all demanders. In other words, mobile cloud architecture allows BIM information to be pervasively accessible, and is scalable for a large number of users.

However, access control of BIM data is subtle in mobile cloud environment. For example, consider entities in a construction project as follows: owners of a bank building are members of a bank company; designers are engineers in design institute; contractors are managers in contracting companies; and builders are workers of construction companies. They may access BIM information with different privileges. Even for the same information and entity, the privileges may be different at various times or locations, as, in mobile cloud, access may occur any-time any-where.

RBAC (role based access control) is mainstream model in current access control research [6,7,8,9], in which roles are assigned to each user. When the number of users grows, the management complexity obviously increases. Besides, RBAC may be inflexible due to the restriction of user’s login authority. Mobile cloud for BIM provides the convenience of information access, but it also raises several security issues [10,11,12].

Access control for critical and sensitive BIM data presents the following challenges: (1) Users are mobile and access may be any-time, thus requiring a more efficient and secure enhancement in access control mechanism. (2) When the number of users is much larger than that in traditional RBAC, it experiences difficulties in scalability assigning each user privileges. (3) An attack is possible in which the credential of a role is leaked, whether due to intentional attacks or unintentional mistakes and random failure.

To tackle the above challenges, in this paper, we propose a Context-aware access control model called CaAC for BIM data auditing in mobile cloud BIM architecture. CaAC can support many users with fewer roles. Although the number of roles is decreased, CaAC can guarantee access control within the same role by differentiating contexts, which provides fine-grained control. We group users and user groups are granted roles. The contributions of the paper are listed as follows:

• We propose a Context-aware Access Control mechanism (CaAC) to guarantee pervasive access control in mobile cloud paradigm that provides scalable storage and fast retrieval.
• We propose a user grouping method to improve scalability and efficiency. We also propose an authentication scheme by dynamic electronic signature to reduce the aggressiveness of role leakage attacks.

The rest of the paper is organized as follows. Section 2 gives an overview of the relevant previous work. In Section 3, we propose the mobile cloud BIM architecture. Section 4 analyzes access control problems, and presents the detailed description of our proposed methods and algorithms. In Section 5, we evaluate the security and performance of CaAC model. Finally, Section 6 concludes the paper.

2. Related Work

BIM model is largely used in smart construction and sustainable buildings. Ren et al. [13] discussed BIM model for sustainable construction, such as energy saving, pollution reduction, costs saving and construction efficiency. BIM-based design method for energy efficiency was discussed by Yoon et al. [14]. They proposed a BIM-based system that can be scheduled to be built by reducing the amount of energy. Vozzola et al. [15] described a practical application of BIM in construction processes. Kokorus et al. [16] suggested using BIM software to shorten project time and costs for improving efficiency and accuracy in substation design.

Some works discuss BIM with other ICT to enhance smart construction. Wang et al. [17] explored the real-time communication and integration of BIM into site and task conditions. They proposed to use Augmented Reality (AR) to visualize BIM data in the physical context of each construction activity or task. Garcia-Fernandez et al. [18] focused on semantic enrichment process of models, especially in the field of cultural heritage. They discussed different approaches on HBIM generation: from 3D point cloud data collection to semantically enriched parametric models. Bottaccioli et al. [19] proposed a software architecture for the management of energy behaviors in buildings that integrates data such as BIM, IoT, GIS (Geographical Information System), and meteorological services. Their system allows real-time visualization of energy consumption and builds performance evaluation, through energy modeling and simulation, by exploiting data from the field and real weather conditions. Pasini et al. [20] defined a digitally enabled framework for operating cognitive buildings by exploiting IoT and BIM.

Recently, Desogus et al. [21] proposed a sensor-based plan for monitoring indoor thermo-hygrometric conditions, and defined a set of interventions, which should be compatible with building preservation issue and oriented at improving its energy performance. They adopted a cognitive building concept and then applied it to the icon building at the University of Cagliari Campus called “Mandolesi Pavilion”. Arslan et al. [22] developed a prototype system using Hadoop for data storage and processing. The results of processing BIM and sensor data in a Hadoop architecture demonstrate that the system can effectively provide data visualizations to facility managers. Building Life Cycle Assessment (BLCA) of energy consumption is an important issue in the field of sustainable development and green building. Yuan et al. [23] summarized the features of Building Life Cycle Energy Consumption (BLCEC) data. They also proposed the method of information exchange and integration management by BIM, and utilized cloud computing technology to achieve wide-area BLCEC data management. As part of a larger, modular and extensible framework, the application of Linked Data View (or Semantic View) was introduced by Ferguson et al. [24]. Their framework provides a method to automatically query, understand BIM instances and convert them into linked data to support more accurate decision-making.

Regarding BIM application potential, Ding et al. [25] proposed a BIM application framework, which describes the process of expanding from 3D to computable nD. Dawood et al. [26] proposed to integrate between BIM and Genetic Algorithm (GA) for reaching the minimum LCC. BIM is the simulation tool to generate the building design and dynamical analysis for the energy consumption of houses. According to the measures and characteristics of BIM barriers in China, Pan et al. [27] drafted a road map for the adoption and application of BIM in China. Mohd et al. [28] discussed the application of BIM in architectural planning. BIM was used to conduct semi-structured interviews with customers. The interviews revealed the necessity and benefits of BIM implementation in construction planning, as well as the challenges faced by customers in implementing BIM. Ferreira et al. [29] used a simplified method, combining the location information generated by interaction between beacon propagation signals and mobile device sensors (accelerometers and gyroscopes) with local building information to provide real-time positioning and guidance for users in buildings.

We observe that some upcoming computing paradigms are promising to be integrated with BIM system as a new architecture, such as mobile cloud computing, blockchain, and Internet of Things. However, the marriage of them with BIM has been explored by few related works. The hand-held devices such as smart phones and tablet computers have already been pervasively used as an ordinary computing tool for many engineers. Those devices perform as convenient productivity tools, because hardware capabilities grow sufficiently powerful, and more productivity applications are available at application stores. The work on the marriage between mobile cloud and BIM model is few. Betarte et al. [30] proposed a framework—ACTkit—for the definition and enforcement of dynamic access control. Their work is independent of ours.

3. Problem Formulation

3.1. System Model

The main weakness in security for current BIM are as follows: The access control of BIM data is not fine-grained. BIM data can be accessed by roles, but same roles may have different privileges for the same subject. In addition, with the development of pervasive data sharing in BIM data, access control becomes more critical because some data may not be accessible to the same role in different contexts, e.g., times or locations. For some sensitive buildings, such as cross-sea bridges and critical infrastructures, it is necessary to carry out fine-grained access control of BIM data.

Five basic elements are concerned: users, roles, objects, operations and permissions. At least one permission is assigned to each role, and at least one role is assigned to each user. The same access rights can be assigned to different roles. Users and roles are many-to-many, which means users can have different roles in different scenarios. For example, a project manager can also be a designer. Certainly, a role can be given to multiple users. The separation of user and role can make authorization be more flexible. Roles and permissions are also many-to-many, which means roles can have multiple rights and the same right can be delegated to multiple roles. RBAC refers to the association of a user with permissions through roles, where a user has multiple roles and each role has multiple permissions. In this way, an authorization model such as user–role–permissions is built. In this model, ordinary people have many-to-many relationships between users and roles, as well as roles and permissions.

When the number of users is large, it is cumbersome to give each user authorization (to delegate roles) one by one. Thus, we consider organizing multiple users in one group, and authorizing users by authorizing groups. As a result, all permissions that a user possesses consist of permissions possessed by the user personally and permissions possessed by the user group. The model is shown in Figure 1, and the specification is discussed in details in the following.

In addition, we propose two models on grouping rules: basic model and advanced model. In the basic model, grouping is based on user’s privileges. That is, the user knows the privileges upon login. Once the basic model is not sufficiently flexible, the advanced model is proposed in which grouping corresponds to context requests.

It is worth stressing that the main difference between a role and a user group is that a user group is a group of users, instead of a group of permissions. In contrast, a role is a group of users and permissions, and it indeed connects two groups as a mediation. In a system where permissions and members of a user group can only be modified by system administrator, user grouping mechanism is very similar to role mechanism. Roles can also be implemented based on user groups, in which a role links to the privileges of the user group.

3.2. Adversary Model

In this section, we pinpoint three potential weaknesses that could be exploited by adversaries as follows: role credential leakage, administrator compromise, and a mismatch between the number of users and roles.

The role’s credential may be disclosed, whether it is an intentional attack, an unintentional error, or a random failure. Attackers can impersonate designated roles to obtain unauthorized permissions by obtaining the credentials, e.g., a login password.

During the grouping process, all user groups are grouped by administrators. We assume that administrators may be compromised. As a result, attackers can be included into any groups they want to join. Although it is difficult in reality, it is preferable to assume stronger adversary for better security.

We observe that, in the BIM model, the number of users may be much larger than the number of roles, thus mismatch exists between them. This mismatch leads to potential risks for BIM models. For example, some critical models (e.g., architecture, construction, and infrastructure data) may be revealed by unintended users and exposed to potential attackers that intend to access data illegally.

4. Proposed Scheme

4.1. Context-Aware Access Control

As BIM data are stored in cloud servers, the data may be accessed by requestors, or be updated by corresponding users who are responsible to the information. A secure data management issue thus arises: access control for the BIM data in cloud servers.

The access control has been explored for many years, and the mechanism becomes mature in traditional ICT domains. For example, RBAC is a typical one in which access rights are controlled according to requestor’s roles. The data have different access rights, such as read, write, and execute (if applicable), and a user is assigned one role or multiple roles, corresponding to access rights to specified data. The key advantage of RBAC access control mechanism is that it can support a large number of users within much fewer roles and access control tables can be created easily. Furthermore, assigning rights to roles is more flexible than assigning rights to users directly. For example, if the right for accessing certain data is changed for a user, it can be done easily by changing the role of the user to another role.

We observe that the number of roles in BIM system context is usually rare. There exist four main roles in the BIM model:

• Host: It represents investors for a building construction.
• Designer: It represents building devisers or revisers.
• Constructor: It represents executive and concrete builders of the building.
• Supplier: It represents material providers for the constructors.

It is straightforward to deploy RBAC to facilitate access control in BIM. However, we observer that the numbers of users and subjects in terms of BIM models are usually large but the number of roles is usually small, thus there exists a mismatch between them. Such mismatch will induce certain risks of BIM model breach. Besides, passwords for designated roles may be incidentally exposed or hacked by attackers intentionally. As there are much fewer roles are than users, it may not be flexible to change the accessing privileges of a role. (It will influence all users in this role.) To tackle these problems, we propose incorporating the context information along roles in access control for BIM in the following.

We list certain major notations used in the remainder of the paper in Abbreviations.

For better understanding and emphasis, we induce the following notation.

Definition 1.

Role Revealing Attack (RRA). It works for leaking the credential of a role, whether by intentionally attack, or by unintentionally mistakes and random failure.

Next, we present our access control model.

Definition 2.

User (U): It represents users who will access BIM data.

Definition 3.

User ($UG$): It represents user groups who will access BIM data.

Definition 4.

Subject (S): It represents data in BIM servers awaiting for accessing.

Definition 5.

Role (R): It represents a title with an authority level for accessed subject.

Definition 6.

Operation (O): It represents the operating right for an accessed subject, for example, read, write, execute, and so on.

Definition 7.

Permission (P): It represents the operation combinations for an accessed subject.

Definition 8.

Subject Assignment ($SA$): A subject is assigned to a role.

Definition 9.

Permission Assignment ($PA$): A permission is assigned to a role.

Definition 10.

User Assignment ($UA$): A user is assigned to a role.

Definition 11.

User Group Assignment ($UGA$): A user group is assigned to a role.

Definition 12.

Context (C): The extra condition for regulating the access permission for a role with respect to a subject.

We propose a Context-aware RBAC called CaAC model as follows:

• $UA\subseteq U\times R,$ where $UA$ is a user assignment relation; U is a set of users; and R is a set of roles. The user assignment is a relation of users and roles. A user may possess multiple roles and a role may be possessed by multiple users.
• $UGA\subseteq UG\times R,$ where $UGA$ is a user group assignment relation; $UG$ is a set of user groups; and R is a set of roles. The user assignment is a relation of user groups and roles. A user group may possess multiple roles and a role may be possessed by multiple groups.
• $\mathsf{AssignedUser}(·):r\in R\to 2^U.$$\mathsf{AssignedUser}(·)$ is a function to describe user assignment ($UA$) procedure. It is a function from R to $2^U$, which means a role is assigned to a user or multiple users. $2^U$ is a set of sets in which elements are users. It cannot be onto, as some users may not be an image of a role. It can be one-to-one, as some users may be an image of multiple roles. It is a function, as one role can only map to one set of users.
• $\mathsf{AssignedUsergroup}(·):r\in R\to 2^{UG}.$$\mathsf{AssignedUser}(·)$ is a function to describe user group assignment ($UGA$) procedure. It is a function from R to $2^{UG}$, which means a role is assigned to a user group or multiple user groups. $2^{UG}$ is a set of sets in which elements are user groups. It cannot be onto, as some user groups may not be a image of a role. It can be one-to-one, as some user groups may be a image of multiple roles. It is a function, as one role can only map to one set of user groups.
• $\mathsf{AssignedUser}\left(r\right)=\{u\in U|(u,r)\in UA\}.$ It is a set of users for a given role. It can also be seen as the range of function $\mathsf{AssignedUser}(·)$ for given r. That is, they are all users who are assigned a given role r. The range of the function is all $u\in U$ where $(u,r)\in UA.$
• $\mathsf{AssignedUsergroup}\left(r\right)=\{ug\in UG|(ug,r)\in UGA\}.$ It is a set of user groups for a given role. It can also be looked as the range of function $\mathsf{AssignedUsergroup}(·)$ for given r. That is, they are all user groups who are assigned a given role r. The range of the function is all $ug\in UG$ where $(ug,r)\in UGA.$
• $P=2^O,$ where P is a set of permissions and O is a set of operations such as read, write, and execute. P is a set of sets in which elements are operations.
• $PA\subseteq P\times R,$ where $PA$ is a permission assignment relation. $PA$ means a relation of permission set P and role set R.
  Instead, $P{A}_c\subset P\times R\times C.$ A permission is assigned to a combination of R and C. The $R\times C$ can define a proper permission for the further access. Roughly speaking, when and only when the specification of role and that of context are both guaranteed, assigned permission will be possessed.
  Note that, this part is only for CaAC, but the traditional RBAC is the previous one. This presentation way can point out the distinction between two methods.
• $\mathsf{AssignedPermission}(·):r\in R\to 2^P,$ where $\mathsf{AssignedPermission}(·)$ is a function to assign a permission or multiple permissions to a role.
  Instead, $\mathsf{AssignedPermission}(·):r\in R\times c\in C\to 2^P,$ where $\mathsf{AssignedPermission}(·)$ is a function to assign a permission to a combination of role and context. Note that, when and only when the specification of role and that of context are both satisfied, the permission will be possessed.
• $\mathsf{AssignedPermission}\left(r\right)=\{p\in P|(p,r)\in PA\}.$ It is a set of privileges for a given role. It can also be looked as the range of function $\mathsf{AssignedPermission}(·)$ for a given inputting. The range of the function for a given r is all $p\in P$ where $(p,r)\in PA.$
  Instead, $\mathsf{AssignedPermission}(r,c)=\{p\in P|(p,r,c)\in P{A}_c\}.$ It describes the range of function $\mathsf{AssignedPermission}(·)$ for given r and c. The range of the function is all $p\in P$ where $(p,r,c)\in P{A}_c.$
• $\mathsf{UserSubjects}(·):u\in U\to 2^S,$ where U is a set of users and S is a set of subjects.
• $\mathsf{SubjectRoles}(·):s\in S\to 2^R,$ where S is a set of subjects and R is a set of roles.
• $\mathsf{SubjectRolesContexts}(·):s\in S\to 2^R\times 2^C,$ where S is a set of subjects, R is a set of roles, and C is a set of context.
• ${\bigcup }_{r\in \mathsf{SubjectRoles}\left(s\right)}\mathsf{AssignedPermision}\left(r\right).$ This set includes all permissions of the roles that can access the subject s. That is, all permissions for the subject s.
• ${\bigcup }_{r,c\in \mathsf{SubjectRolesContexts}\left(s\right)}\mathsf{AssignedPermision}(r,c).$ This set includes all permissions of the roles that can access the subject s in all related context. That is all permissions for the subject s.
• $\mathsf{creatnewUG}(·)$: This is a function to create a new user group. When it is found that the original user group does not meet the use requirements, a new user group (UG) is created.

4.2. Constraint Condition

In this section, we propose some constraints based on above basic model.

• $\mathsf{Constrain}\left(1\right)=\{\forall (P_i,R_i,C_i)\in P{A}_c\bigwedge (P_j,R_j,C_j)\in P{A}_c|P_i\ne P_j\}.$ To ensure that access privileges between different roles in BIM data are mutually exclusive, mapping relationship between roles and privileges in CaAC presents following constraints: identical access authorization is not allowed to be assigned to different roles.
• $\mathsf{Constrain}\left(2\right)=\{\exists U_a\in U{G}_1\bigwedge U_b\in U{G}_1\bigwedge P_a\subset P_b|P_{UG}=P_a\}.$ To improve security, the principle for minimum permissions is adopted. If there exists conflict in member permissions within the same user group (role), then the minimum permissions are adopted.
• $\mathsf{Constrain}\left(3\right)=\{\exists U_a\in U{G}_1\bigwedge U_b\in U{G}_1\bigwedge P_a\wedge P_b=\varphi |creatnewUG(.)\}.$ User A and User B are compared with other user groups. If the inclusion relationship or equivalent relationship still does not exist, then a new user group will be created, and User A or User B will be placed in the new user group.
• $\mathsf{Constrain}\left(4\right)=\{\exists U_a\in U{G}_1\bigwedge U_a\in U{G}_2|P_a=P_{UG1}+P_{UG2}\}.$ To ensure that the number of permissions does not decrease after grouping, if a user belongs to more than one user groups, the user’s permissions are set to a union of permissions in the user groups.
• To ensure fair grouping of multiple users, when a new user requests accessing, administrators will be aware of all members in the original user group, and processes properly according to above policies.

4.3. Proposed Authorization Rules

Rules for basic model: When a user initiates an request to access BIM data, servers firstly obtain the permissions of the user according to users and permissions mapping table. Secondly, the user is added to corresponding user groups based on permissions. In addition, the user’s permissions are also added to the user group’s permissions. However, if there exists no permission relationship between the user and others, a new user group is immediately created. The next step is granting roles to the user group which activates by launching a session. When the user requests to access BIM data again, the permissions are assigned according to the roles of the user group. Finally, servers compare the user’s requirements with permissions, and determine whether the requirements are satisfied. Access is allowed if they are satisfied, otherwise access is not allowed.

Rules for advanced model: When a user initiates a request to access BIM data, servers firstly obtain the requirements of the user according to corresponding contexts. Secondly, the user is added to the corresponding user groups based on requirements. In addition, the user’s permissions are also added to the user group’s permissions. However, if there are no requirements relationships between the user and others, a new user group is immediately created. The next step is granting roles to the user group that activates by launching a session. When the user requests access to the BIM data again, the permissions are assigned according to the roles of the user group. Finally, servers compare the user’s requirements with permissions, and determine whether the requirements are satisfied. Access is allowed if they are satisfied, otherwise access is not allowed. Besides, to defend against RRA, we propose using dynamic electronic signature in advanced model.

4.4. Proposed Algorithms

In this section, we present our algorithms to achieve the above Context-aware and user grouping access control model. Although our model can formally specify the rationale in access control mechanisms, these proposed algorithms can facilitate the understanding of programmers in their implementations. In addition, some source codes have been deposited in [IEEE DATAPORT] repository.

The basic model assumes that user grouping is based on the user’s privileges. In other words, users know privileges at the beginning of the login. The basic model can control different users to access fine-grained data, and improve the efficiency of the traditional RBAC model as well. The specification is shown in Algorithm 1.

Algorithm 1 Groups users according to initial user login privileges.

Input:$P_i,P_j,U_i,U_j,$ Output:$U_i\in U{G}_j,U_j\in U{G}_i,U_i\in U_{ij}and{U}_j\in U_{ij}$ while$P_i\wedge P_j\ne \varphi$do if$P_i<P_j$ $P_{Uj}=P_{UGj}\Leftarrow P_{Ui}$ $result\Leftarrow U_i\in U{G}_j$ if$P_i>P_j$ $P_{Ui}=P_{UGi}\Leftarrow P_{Uj}$ $result\Leftarrow U_j\in U{G}_i$ if$P_i=P_j$$creatnewUG(.)$ $P_{UGij}\Leftarrow P_{Ui}=P_{Uj}$ $result\Leftarrow U_i\in U_{ij}and{U}_j\in U_{ij}$ return$result$ end while

The basic model may not be sufficiently flexible. Once user privileges have changed, the corresponding roles need to be modified. We propose advanced model that groups rules according to contexts (e.g., time and location) to guarantee the flexibility of grouping. Besides, advanced model defends against RRA. We propose an authentication scheme by dynamic electronic signature. The main idea is described in Algorithm  2 that groups users according to contexts (e.g., time and location).

Algorithm 2 Groups users according to contexts.

Input:$Re{q}_i,Re{q}_j,U_i,U_j,$ Output:$U_i\in U{G}_j,U_j\in U{G}_i,U_i\in U_{ij}and{U}_j\in U_{ij}$ while$Re{q}_i\wedge Re{q}_j\ne \varphi$do if$Re{q}_i<Re{q}_j$ $Re{q}_{Uj}=Re{q}_{UGj}\Leftarrow Re{q}_{Ui}$ $result\Leftarrow U_i\in U{G}_j$ if$Re{q}_i>Re{q}_j$ $Re{q}_{Ui}=Re{q}_{UGi}\Leftarrow Re{q}_{Uj}$ $result\Leftarrow U_j\in U{G}_i$ if$Re{q}_i=Re{q}_j$$creatnewUG(.)$ $Re{q}_{UGij}\Leftarrow Re{q}_{Ui}=Re{q}_{Uj}$ $result\Leftarrow U_i\in U_{ij}and{U}_j\in U_{ij}$ return$result$ end while

Next, we analyze the complexity of the algorithm. In terms of time and frequency, n is called the scale of the problem. When n is constantly changing, the time $T\left(n\right)$ will change consequently. The number of repetitions of the basic operation in the algorithm is a function of the problem scaling in n, which is represented by $T\left(n\right)$. If there exists an auxiliary function $f\left(n\right)$, such that, when n approaches infinity, the limit value of $T\left(n\right)/f\left(n\right)$ is a constant, then $f\left(n\right)$ is called the same order of magnitude function of $T\left(n\right)$, denoted as $T\left(n\right)=O\left(f\right(n\left)\right)$. We call $O\left(f\right(n\left)\right)$ the progressive time complexity of the algorithm, and abbreviate it as time complexity. In this paper, we assume that there are n users, and there exists only one loop in the algorithm. Roughly speaking, the complexity of the algorithm is $O\left(n\right)$, which means that the amount of data increases several times and the time consumed also increases several times. $O\left(n\right)$ algorithm can process about ${10}^8$ magnitudes of data.

Aiming at the problem of strong attack on Role Revealing Attack, we propose dynamic electronic signature over access control. Considering signing a data file in BIM system, due to the uncertainty of the number of directories, the directory page after the signature page cannot be effectively determined. We use dynamic signature key and feature recognition technology in BIM system to achieve accurate identification of signature page. It can also effectively ensure uniqueness, correctness and validity of BIM data.

The BIM master data generated in electronic signature is usually original information for entire building lifecycle, e.g., architectural design drawings, while data attribute document is attribution information, including creators, creation time, construction stages, technical status, data classification, level of secrecy, etc. Figure 2 describes the method of dynamic electronic signature. The process of obtaining dynamic page number is included, and key feature set F and signature page number p are added to the electronic configuration template. The concrete steps are as follows:

• The BIM system obtains a visual PDF file of BIM database master data and uses Adobe interface to parse PDF file into N feature set $G_n$.
• The BIM system parses electronic signature configuration template to obtain key feature set F.
• The BIM system combines the key feature set F with the feature set $G_n$. If it does, go to Step 4; Otherwise, go to Step 5.
• Get the value of the page number p collected by the signature key in the graphics document and pass the value to the electronic signature configuration template.
• Show tips for exceptions, and prompt for the correct template to ensure that the file template used by users satisfies the requirements of the development template.

4.5. Examples: Location-Aware or Time-Aware

BIM data may include the following BIM models at different stages of a life cycle of a building:

(1)

Design Models: Building, structure, hydropower and wind, performance simulation, environment and infrastructure.

(2)

Construction model: Subdivide the design model according to the construction steps.

(3)

Schedule model (4D): Linking model objects in a project according to schedule.

(4)

Cost Model (5D): Linking objects to the cost and time of the project.

(5)

Manufacturing Models: Using 3D models instead of traditional plane drawings to manufacture building components.

(6)

Operational model: Used to simulate operations management, maintenance and mid- term updates.

As the access of BIM cloud servers is always pervasive at different locations, we propose using location information of accessors to further constrain the access right so as to provide a fine-grained access control.

Example 1.

A designer may access the BIM data at the construction fields, at home, or in the offices. In traditional RBAC, no matter where she is, she will be granted the same permission for accessing the BIM data. It may provide certain convenience in some situations, but it may also create risk in terms of privilege leakage, for example, the malicious codes at home computer may steal the password for the role. In CaAC, the designer can access 3D data in offices, which cannot be accessed in construction fields, while 2D data can be accessed in construction fields.

Thus, to specify the permission for a role in different locations, a location information may be induced to distinguish, e.g. contexts. That is, the permission is related to not only roles, but also locations. The administrators can group users in different areas according to location context, and then assign roles.

Another context that may be encountered is time, i.e. the time of accessing BIM data. Similarly, we propose a time-aware RBAC that can incorporate time constraints into access control, especially with respect to the same role. Material suppliers may access BIM data during office hours or on holidays. MCBIM server can guarantee the successful access during office hours, but not on holidays. According to the context, the users in this time period are divided into a group and the roles are granted. It cannot be accomplished in naive RBAC, but can be achieved in time-aware RBAC model.

Similar to location-aware RBAC, time-aware RBAC can be described as follows. As above, only the main functions are provided for simplicity:

• $T=UGT\cup RT,$ where T is a time; $UGT$ is a user group time; and $RT$ is a role time. Here, we present two variants in a contrast way in parallel.
• $UGA\subseteq UG\times R.$ The user group assignment is a relation between user groups and roles.
• $PA\subseteq R\times UGT\times P\times RT.$ A permission is assigned to a combination of $RT$ and $UGT$. The $RT\times UGT$ can define a proper permission for the further access. Roughly speaking, when and only when the specification of role and that of context are both guaranteed, assigned permission will be possessed.
• $\mathsf{AssignedUsers}(·):r\in R\to 2^{UG}.$ Each role will be assigned to one or multiple user groups.
• $\mathsf{AssignedPermission}(·):r\in R;t\in UGT\to 2^{(P\times RT)}.$ That is, for each role and user group time, the combinations of permission and role time are assigned.

Example 2.

Material suppliers for a construction project usually access BIM data during office hours or non-working hours (e.g., at midnight or 15:00). BIM server can guarantee the successful access during office hours, but not during suspected attacking hours, especially for certain critical data. It cannot be accomplished in naive RBAC, but can be achieved in CaAC model with time context.

Furthermore, Context-aware can be further extended to other instantiation of context. In addition to location and time, the context can be any other condition related to access right. The detailed model for Context-aware RBAC is similar to location-aware RBAC and time-aware RBAC. The latter two are presented not only as an instantiation of CaAC, but also as a sample for the concrete construction of access models.

5. Security and Performance Analysis

Comparison between CaAC and RBAC

In this section, we compare two models proposed in this paper with the traditional RBAC model in five aspects, and analyze security and feasibility. The specific comparison results are shown in

Table 1. A comparison between the CaAC model and the traditional RBAC.

	Model	RBAC	Basic CaAC	Advanced CaAC
Characteristic
Privilege management		Constraints are set for each permission, which is prone to errors in the process of permission allocation. With the increase of functional modules in the system, the number of permissions is huge, and it is difficult to achieve effective management.	Grouping rules are based on user login permissions, more fine-grained than RBAC.	Grouping according to context user request, more fine-grained than RBAC.
Flexibility		Flexibility is extremely poor. If any part of the session changes, the user needs to recreate the session and activate the user role.	Flexibility is at a moderate level, and if user’s permissions change upon login, she needs to be grouped again.	The user’s roles or login permissions have changed without requiring all steps in the model to be repeated.
Data security		With the increasing number of people involved and the growing size of databases, this model obviously can not meet the security of data.	Because of adopting grouping strategy, data security can be satisfied.	Dynamic electronic signature is adopted to ensure the security of data.
Efficiency		Efficiency and its inefficiency, to give each user of the system one by one authorization (role), is a very cumbersome thing.	Efficiency is the highest. Privileges and roles should be set first to form access control tables. Grouping and authorization only need to look up tables upon requests.	Efficiency is moderate. Users login first and then be grouped according to requests, while permissions can be granted directly to each group.

.

Confidentiality and Integrity: The former means data are guaranteed not to be disclosed to unauthorized users. The latter means data cannot be tampered (e.g., insertion, modification, deletion, and reordering) without authorization during storage. Both proposed models can prevent unauthorized access and tampering behavior.

Defending against Role Revealing Attack: We propose dynamic electronic signature over access control. That is, BIM system equips accurate identification of signature pages. Key feature recognition can effectively solve the risks of Role Revealing Attack and ensure the uniqueness, correctness and validity of BIM data.

Flexibility: Flexibility refers to the convenience of mapping relations between users and roles, and reconfiguring roles and privileges on demand. In traditional RBAC model, flexibility imposes difficulties in recreating sessions and activates updated roles. In basic model, flexibility is improved. Since grouping rules stem from permissions upon login, they still need to be grouped if the permissions change. In advanced model, it is not necessary to re-perform all steps, even if roles or login permissions change. It is independent of the permissions upon login, and only depends on contexts.

Efficiency: When data volume is huge or the number of users is large, traditional RBAC model may be inefficient in authorizing each user in the system sequentially. Thus, grouping users and authorizing user groups in a batch will be more efficient. Furthermore, advanced model is less efficient than the basic model. The specific quantitative analysis process is as follows:

• Worst case: There is no inclusion relationship between users and user requests, thus grouping needs n times.
• Average case: If there are p users and other q users with inclusion relationship ($p+q<n$), the remaining $(n-p-q)$ users need to group $(n-p-q)$ times. $(p+q)/2$ coincidence elements are generated in the inclusion relationship. The efficiency is improved by $n/(n-p-q+(p+q)/2)=2n/(2n-p-q)$.
• Best case: All users and user requests have inclusion relationship, thus grouping only occurs once. The efficiency increases n times.

6. Conclusions

We analyzed the limitation in traditional role-based only access control mechanism. As the number of mobile users is much larger than the number of roles, naive role-based access control may not be suitable in BIM situations. We thus propose a Context-aware fine-grained access control, called CaAC. We describe the functions of CaAC by formal method and present several illustrations on contexts via location-aware access control and the time-aware access control. CaAC can guarantee the access control within the same role by differentiating contexts, which is more fine-grained than current role-based only access control. We also present grouping algorithms of two models. By comparing the proposed models with traditional RBAC model, we analyze the security and feasibility. As a result of analysis, we conclude that the average efficiency is improved by $2n/(2n-p-q)$, and the time complexity of the proposed algorithm is $O\left(n\right)$.