Affiliation:
1. Microsoft Research, Cambridge UK
2. Technical University of Denmark, Lyngby, Denmark
Abstract
Administering and maintaining access control systems is a challenging task, especially in environments with complex and changing authorization requirements. A number of authorization logics have been proposed that aim at simplifying access control by factoring the authorization policy out of the hard-coded resource guard. However, many policies require the authorization state to be updated after a granted access request, for example, to reflect the fact that a user has activated or deactivated a role. Current authorization languages cannot express such state modifications; these still have to be hard-coded into the resource guard. We present a logic for specifying policies where access requests can have effects on the authorization state. The logic is semantically defined by a mapping to Transaction Logic. Using this approach, updates to the state are factored out of the resource guard, thus enhancing maintainability and facilitating more expressive policies that take the history of access requests into account. We also present a sound and complete proof system for reasoning about sequences of access requests. This gives rise to a goal-oriented algorithm for finding minimal sequences that lead to a specified target authorization state.
Publisher
Association for Computing Machinery (ACM)
Subject
Safety, Risk, Reliability and Quality,General Computer Science
Reference58 articles.
1. A calculus for access control in distributed systems
2. Abiteboul S. Hull R. and Vianu V. 1995. Foundations of Databases. Addison-Wesley Upper Saddle River NJ. Abiteboul S. Hull R. and Vianu V. 1995. Foundations of Databases. Addison-Wesley Upper Saddle River NJ.
3. Procedural and declarative database update languages
Cited by
14 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献