Affiliation:
1. Università di Milano, Crema, Italy
2. Università di Brescia, Brescia, Italy
Abstract
Despite considerable advancements in the area of access control and authorization languages, current approaches to enforcing access control are all based on monolithic and complete specifications. This assumption is too restrictive when access control restrictions to be enforced come from the combination of different policy specifications, each possibly under the control of independent authorities, and where the specifics of some component policies may not even be known apriori. Turning individual specifications into a coherent policy to be fed into the access control system requires a nontrivial combination and translation process. This article addresses the problem of combining authorization specifications that may be independently stated, possibly in different languages and according to different policies. We propose an algebra of security policies together with its formal semantics and illustrate how to formulate complex policies in the algebra and reason about them. A translation of policy expressions into equivalent logic programs is illustrated, which provides the basis for the implementation of the algebra. The algebra's expressiveness is analyzed through a comparison with first-order logic.
Publisher
Association for Computing Machinery (ACM)
Subject
Safety, Risk, Reliability and Quality,General Computer Science
Reference22 articles.
1. Composing specifications
2. BANISAR D. AND DAVIES S. 1999. Privacy & Human Rights-An International Survey of Privacy Laws and Developments. EPIC.]] BANISAR D. AND DAVIES S. 1999. Privacy & Human Rights-An International Survey of Privacy Laws and Developments. EPIC.]]
3. A flexible authorization mechanism for relational data management systems
Cited by
147 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献