ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Status-Based Access Control
Full text PdfPdf (346 KB)
Source
ACM Transactions on Information and System Security (TISSEC) archive
Volume 12 ,  Issue 1  (October 2008) table of contents
Article No. 1  
Year of Publication: 2008
ISSN:1094-9224
Authors
Steve Barker  King's College London
Marek J. Sergot  Imperial College London
Duminda Wijesekera  George Mason University
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 39,   Downloads (12 Months): 524,   Citation Count: 1
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1410234.1410235
What is a DOI?

ABSTRACT

Despite their widespread adoption, Role-based Access Control (RBAC) models exhibit certain shortcomings that make them less than ideal for deployment in, for example, distributed access control. In the distributed case, standard RBAC assumptions (e.g., of relatively static access policies, managed by human users, with complete information available about users and job functions) do not necessarily apply. Moreover, RBAC is restricted in the sense that it is based on one type of ascribed status, an assignment of a user to a role. In this article, we introduce the status-based access control (SBAC) model for distributed access control. The SBAC model (or family of models) is based on the notion of users having an action status as well as an ascribed status. A user's action status is established, in part, from a history of events that relate to the user; this history enables changing access policy requirements to be naturally accommodated. The approach can be implemented as an autonomous agent that reasons about the events, actions, and a history (of events and actions), which relates to a requester for access to resources, in order to decide whether the requester is permitted the access sought. We define a number of algebras for composing SBAC policies, algebras that exploit the language that we introduce for SBAC policy representation: identification-based logic programs. The SBAC model is richer than RBAC models and the policies that can be represented in our approach are more expressive than the policies admitted by a number of monotonic languages that have been hitherto described for representing distributed access control requirements. Our algebras generalize existing algebras that have been defined for access policy composition. We also describe an approach for the efficient implementation of SBAC policies.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

1
Martín Abadi , Michael Burrows , Butler Lampson , Gordon Plotkin, A calculus for access control in distributed systems, ACM Transactions on Programming Languages and Systems (TOPLAS), v.15 n.4, p.706-734, Sept. 1993  [doi>10.1145/155183.155225]
 
2
Grigoris Antoniou , Frank vanHarmelen, A Semantic Web Primer, MIT Press, Cambridge, MA, 2004
 
3
Krzysztof R. Apt, From logic programming to Prolog, Prentice-Hall, Inc., Upper Saddle River, NJ, 1996
 
4
Apt, K. and Bezem, M. 1991. Acyclic programs. New Generation Comput., 9, 3/4, 335--364.
 
5
K. R. Apt , H. A. Blair, Arithmetic classification of perfect models of stratified programs, Fundamenta Informaticae, v.13 n.1, p.1-17, Mar. 1990
6
Jean Bacon , Ken Moody , Walt Yao, A model of OASIS role-based access control and its support for active security, ACM Transactions on Information and System Security (TISSEC), v.5 n.4, p.492-540, November 2002  [doi>10.1145/581271.581276]
 
7
Baral, C. and Gelfond, M. 1994. Logic programming and knowledge representation. JLP 19/20, 73--148.
8
Steve Barker , Michael Leuschel , Mauricio Varea, Efficient and flexible access control via logic program specialisation, Proceedings of the 2004 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation, p.190-199, August 24-25, 2004, Verona, Italy  [doi>10.1145/1014007.1014026]
 
9
Steve Barker , Michael Leuschel , Mauricio Varea, Efficient and flexible access control via Jones-optimal logic program specialisation, Higher-Order and Symbolic Computation, v.21 n.1-2, p.5-35, June 2008  [doi>10.1007/s10990-008-9030-8]
10
Steve Barker , Peter J. Stuckey, Flexible access control policy specification with constraint logic programming, ACM Transactions on Information and System Security (TISSEC), v.6 n.4, p.501-546, November 2003  [doi>10.1145/950191.950194]
 
11
Cassandra: Distributed Access Control Policies with Tunable Expressiveness, Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, p.159, June 07-09, 2004
 
12
Bell, D. E. and LaPadula, L. J. 1976. Secure computer system: Unified exposition and multics interpretation. MITRE-2997.
13
Elisa Bertino , Claudio Bettini , Elena Ferrari , Pierangela Samarati, An access control model supporting periodicity constraints and temporal reasoning, ACM Transactions on Database Systems (TODS), v.23 n.3, p.231-285, Sept. 1998  [doi>10.1145/293910.293151]
14
Elisa Bertino , Piero Andrea Bonatti , Elena Ferrari, TRBAC: a temporal role-based access control model, Proceedings of the fifth ACM workshop on Role-based access control, p.21-30, July 26-28, 2000, Berlin, Germany  [doi>10.1145/344287.344298]
 
15
Elisa Bertino , Barbara Catania , Gian Piero Zarri, Intelligent Database Systems, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 2001
 
16
Bertino, E., Khan, L. R., Sandhu, R. S., and Thuraisingham, B. 2006. Secure knowledge management: Confidentiality, trust, and privacy. IEEE Transactions on Systems, Man, and Cybernetics, Part A 36, 3, 429--438.
17
Piero Bonatti , Sabrina De Capitani di Vimercati , Pierangela Samarati, An algebra for composing access control policies, ACM Transactions on Information and System Security (TISSEC), v.5 n.1, p.1-35, February 2002  [doi>10.1145/504909.504910]
 
18
Brewer, D. F. C. and Nash, M. J. 1989. The Chinese Wall security policy. In IEEE Symposium on Security and Privacy (SP'89), 206--214.
19
Weidong Chen , David S. Warren, Tabled evaluation with delaying for general logic programs, Journal of the ACM (JACM), v.43 n.1, p.20-74, Jan. 1996  [doi>10.1145/227595.227597]
 
20
Ciao 2004. The Ciao Prolog System.
 
21
Clark, K. 1978. Negation as failure. In H. Gallaire and J. Minker (Eds.), Logic and Databases, pp. 293--322. Plenum.
 
22
Dwaine Clarke , Jean-Emile Elien , Carl Ellison , Matt Fredette , Alexander Morcos , Ronald L. Rivest, Certificate chain discovery in SPKI?SDSI, Journal of Computer Security, v.9 n.4, p.285-322, January 2001
23
James Clifford , Curtis Dyreson , Tomás Isakowitz , Christian S. Jensen , Richard Thomas Snodgrass, On the semantics of “now” in databases, ACM Transactions on Database Systems (TODS), v.22 n.2, p.171-214, June 1997  [doi>10.1145/249978.249980]
 
24
Czenko, M., Tran, H., Doumen, J., Etalle, S., Hartel, S., and den Hartog, J. 2005. Nonmonotonic Trust Management for P2P applications. In Proceedings of the 1st International Workshop on Security and Trust Management (STM'05), 101--116.
 
25
Ernesto Damiani , Sabrina De Capitani di Vimercati , Stefano Paraboschi , Pierangela Samarati, Managing and Sharing Servents' Reputations in P2P Systems, IEEE Transactions on Knowledge and Data Engineering, v.15 n.4, p.840-854, July 2003  [doi>10.1109/TKDE.2003.1209003]
 
26
Nicodemos Damianou , Naranker Dulay , Emil Lupu , Morris Sloman, The Ponder Policy Specification Language, Proceedings of the International Workshop on Policies for Distributed Systems and Networks, p.18-38, January 29-31, 2001
 
27
Davidson, D. 2001. Essays on Actions and Events. Oxford University Press.
 
28
John DeTreville, Binder, a Logic-Based Security Language, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.105, May 12-15, 2002
 
29
Dung, P. M. and Thang, P. M. 2004. Trust negotiation with nonmonotonic access policies. In Proceedings of the IFIP Conference on Intelligence in Communication Systems (INTELLCOMM'04), 70--84.
 
30
Sandro Etalle , Maurizio Gabbrielli, Transformations of CLP modules, Theoretical Computer Science, v.166 n.1-2, p.101-146, Oct. 20, 1996  [doi>10.1016/0304-3975(95)00148-4]
31
David F. Ferraiolo , Ravi Sandhu , Serban Gavrila , D. Richard Kuhn , Ramaswamy Chandramouli, Proposed NIST standard for role-based access control, ACM Transactions on Information and System Security (TISSEC), v.4 n.3, p.224-274, August 2001  [doi>10.1145/501978.501980]
 
32
Fitting, M. C. 1990. Bilattices in logic programming. In G. Epstein (Ed.), 12th International Conference on Multi-Valued Logics, 238--246.
 
33
Fitting, M. C. 2006. Bi-lattices are nice things, Chapter self-reference. University of Chicago Press.
 
34
Gelfond, M. and Lifschitz, V. 1988. The stable model semantics for logic programming. In R. Kowalski and K. Bowen (Eds.) In Proceedings of the 5th International Conference and Symposium on Logic Programming (JICSLP'88), MIT Press. 1070--1080.
 
35
Ginseberg, M. L. 1988. Multi-valued logics. Comput. Intell., 265--316.
 
36
Amir Herzberg , Yosi Mass , Joris Michaeli , Yiftach Ravid , Dalit Naor, Access Control Meets Public Key Infrastructure, Or: Assigning Roles to Strangers, Proceedings of the 2000 IEEE Symposium on Security and Privacy, p.2, May 14-17, 2000
 
37
Horrocks, I., Parsia, B., Patel-Schneider, P. F., and Hendler, J. A. 2005. Semantic Web architecture: Stack or two towers? In Proceedings of the Conference on Principles and Practice of Semantic Web Reasoning (PPSWR'05), 37--41.
38
Sushil Jajodia , Pierangela Samarati , Maria Luisa Sapino , V. S. Subrahmanian, Flexible support for multiple access control policies, ACM Transactions on Database Systems (TODS), v.26 n.2, p.214-260, June 2001  [doi>10.1145/383891.383894]
 
39
Trevor Jim, SD3: A Trust Management System with Certified Evaluation, Proceedings of the 2001 IEEE Symposium on Security and Privacy, p.106, May 14-16, 2001
 
40
James B. D. Joshi , Elisa Bertino , Usman Latif , Arif Ghafoor, A Generalized Temporal Role-Based Access Control Model, IEEE Transactions on Knowledge and Data Engineering, v.17 n.1, p.4-23, January 2005  [doi>10.1109/TKDE.2005.1]
 
41
Lalana Kagal , Tim Finin , Anupam Joshi, A Policy Language for a Pervasive Computing Environment, Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks, p.63, June 04-06, 2003
 
42
R Kowalski , M Sergot, A logic-based calculus of events, New Generation Computing, v.4 n.1, p.67-95, 1986  [doi>10.1007/BF03037383]
43
Ninghui Li , Benjamin N. Grosof , Joan Feigenbaum, Delegation logic: A logic-based approach to distributed authorization, ACM Transactions on Information and System Security (TISSEC), v.6 n.1, p.128-171, February 2003  [doi>10.1145/605434.605438]
 
44
Ninghui Li , John C. Mitchell , William H. Winsborough, Design of a Role-Based Trust-Management Framework, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.114, May 12-15, 2002
 
45
J. W. Lloyd, Foundations of logic programming; (2nd extended ed.), Springer-Verlag New York, Inc., New York, NY, 1987
 
46
Michael J. Maher, A transformation system for deductive database modules with perfect model semantics, Theoretical Computer Science, v.110 n.2, p.377-403, March 29, 1993  [doi>10.1016/0304-3975(93)90013-J]
 
47
Mobasher, B., Pigozzi, D., Slutzki, G., and Voutsadakis, G. 2000. A duality theory for bilattices. Algebra Universalis, 43, 109--125.
 
48
OASIS 2003. eXtensible Access Control Markup language (XACML). Retrieved from http://www.oasis-open.org/xacml/docs/.
49
Jaehong Park , Ravi Sandhu, The UCONABC usage control model, ACM Transactions on Information and System Security (TISSEC), v.7 n.1, p.128-174, February 2004  [doi>10.1145/984334.984339]
 
50
Mary Anne Patton , Audun Jøsang, Technologies for Trust in Electronic Commerce, Electronic Commerce Research, v.4 n.1-2, p.9-21, January-April 2004  [doi>10.1023/B:ELEC.0000009279.89570.27]
 
51
Ruohomaa, S. and Kutvonen, L. 2005. Trust management survey. In Proceedings of the 3rd International Workshop on Trust Management (iTrust'05), pp. 77--92.
 
52
Ravi S. Sandhu , Edward J. Coyne , Hal L. Feinstein , Charles E. Youman, Role-Based Access Control Models, Computer, v.29 n.2, p.38-47, February 1996  [doi>10.1109/2.485845]
 
53
Tamaki, H. and Sato, T. 1984. Unfold/fold transformation of logic programs. In Proceedings of the Second International Logic Programming Conference (ICLP'84), 127--138.
 
54
Uszok, A., Bradshaw, M., and Jeffers, R. 2004. KAoS semantic policy and domain services. In Proceedings of the 2nd International Workshop on Trust Management (iTrust'04), pp. 16--26.
 
55
Allen Van Gelder, The alternating fixpoint of logic programs with negation, Journal of Computer and System Sciences, v.47 n.1, p.185-221, Aug. 1993
56
Lingyu Wang , Duminda Wijesekera , Sushil Jajodia, A logic-based framework for attribute based access control, Proceedings of the 2004 ACM workshop on Formal methods in security engineering, October 29-29, 2004, Washington DC, USA  [doi>10.1145/1029133.1029140]
57
Duminda Wijesekera , Sushil Jajodia, Policy algebras for access control: the propositional case, Proceedings of the 8th ACM conference on Computer and Communications Security, November 05-08, 2001, Philadelphia, PA, USA  [doi>10.1145/501983.501990]
58
Duminda Wijesekera , Sushil Jajodia, Policy algebras for access control the predicate case, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA  [doi>10.1145/586110.586134]
 
59
Woo, T. Y. C. and Lam, S. S. 1993. Authorizations in distributed systems: A new approach. J. Comput. Secur., 2, 2-3, 107--136.
60
Xinwen Zhang , Francesco Parisi-Presicce , Ravi Sandhu , Jaehong Park, Formal model and policy specification of usage control, ACM Transactions on Information and System Security (TISSEC), v.8 n.4, p.351-387, November 2005  [doi>10.1145/1108906.1108908]

CITED BY
Steve Barker, The next 700 access control models or a unifying meta-model?, Proceedings of the 14th ACM symposium on Access control models and technologies, June 03-05, 2009, Stresa, Italy

INDEX TERMS

Primary Classification:
  H. Information Systems
  H.2 DATABASE MANAGEMENT
      H.2.7 Database Administration
          Subjects: Security, integrity, and protection

Additional Classification:
  D. Software
  D.3 PROGRAMMING LANGUAGES
      D.3.2 Language Classifications
          Subjects: Constraint and logic languages

  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)


General Terms:
Security


Keywords:
algebras, distributed security, logic, status-based access control

Collaborative Colleagues:
Steve Barker: colleagues
Marek J. Sergot: colleagues
Duminda Wijesekera: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player