Affiliation:
1. TELECOM Bretagne, France
Abstract
Pre-obligations denote actions that may be required before access is granted. The successful fulfillment of pre-obligations leads to the authorization of the requested access. Pre-obligations enable a more flexible enforcement of authorization policies. This paper formalizes interactions between the obligation and authorization policy states when pre-obligations are supported and investigates their use in a practical scenario. The main advantage of the presented approach is that it gives pre-obligations both declarative semantics using predicate logic and operational semantics using Event-Condition-Action (ECA) rules. Furthermore, the presented framework enables policy designers to easily choose to evaluate any pre-obligation either (1) statically (an access request is denied if the pre-obligation has not been fulfilled); or (2) dynamically (users are given the possibility to fulfill the pre-obligation after the access request and before access is authorized).
Subject
Computer Networks and Communications
Reference25 articles.
1. Abou El Kalam, A., Benferhat, S., Balbiani, P., Miège, A., El Baida, R., Cuppens, F., et al. (2003). Organization based access control. In Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks (pp. 120-131). Washington, DC: IEEE Computer Society.
2. Baral, C., & Lobo, J. (1996). Formal characterization of active databases. In Proceedings of the International Workshop on Logic in Databases (pp. 175-195).
3. A logic for state modifying authorization policies.;M. Y.Becker;ACM Transactions on Information and System Security,2007
4. Becker, M. Y., & Nanz, S. (2008). The role of abduction in declarative authorization policies. In Proceedings of the 10th International Conference on Practical Aspects of Declarative Language (pp. 84-99).
5. Bettini, C., Jajodia, S., Wang, X. S., & Wijesekera, D. (2002). Provisions and obligations in policy management and security applications. In Proceeding of the 28th International Conference on Very Large Data Bases (pp. 502-513). Washington, DC: IEEE Computer Society.