skip to main content
research-article

Status-Based Access Control

Published:01 October 2008Publication History
Skip Abstract Section

Abstract

Despite their widespread adoption, Role-based Access Control (RBAC) models exhibit certain shortcomings that make them less than ideal for deployment in, for example, distributed access control. In the distributed case, standard RBAC assumptions (e.g., of relatively static access policies, managed by human users, with complete information available about users and job functions) do not necessarily apply. Moreover, RBAC is restricted in the sense that it is based on one type of ascribed status, an assignment of a user to a role. In this article, we introduce the status-based access control (SBAC) model for distributed access control. The SBAC model (or family of models) is based on the notion of users having an action status as well as an ascribed status. A user's action status is established, in part, from a history of events that relate to the user; this history enables changing access policy requirements to be naturally accommodated. The approach can be implemented as an autonomous agent that reasons about the events, actions, and a history (of events and actions), which relates to a requester for access to resources, in order to decide whether the requester is permitted the access sought. We define a number of algebras for composing SBAC policies, algebras that exploit the language that we introduce for SBAC policy representation: identification-based logic programs. The SBAC model is richer than RBAC models and the policies that can be represented in our approach are more expressive than the policies admitted by a number of monotonic languages that have been hitherto described for representing distributed access control requirements. Our algebras generalize existing algebras that have been defined for access policy composition. We also describe an approach for the efficient implementation of SBAC policies.

References

  1. Abadi, M., Burrows, M., Lampson, B. W., and Plotkin, G. D. 1993. A calculus for access control in distributed systems. ACM Trans. Program. Lang. Syst., 15, 4, 706--734. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Antoniou, G. and van Harmelen, F. 2004. A Semantic Web Primer. MIT Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Apt, K. 1997. From Logic Programming to Prolog. Prentice Hall. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Apt, K. and Bezem, M. 1991. Acyclic programs. New Generation Comput., 9, 3/4, 335--364.Google ScholarGoogle Scholar
  5. Apt, K. R. and Blair, H. 1990. Arithmetic classification of perfect models of stratified programs. XIII, 1--17. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Bacon, J., Moody, K., and Yao, W. 2002. A model of OASIS RBAC and its support for active security. ACM Trans. Inf. Syst. Secur., 5, 4, 492--540. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Baral, C. and Gelfond, M. 1994. Logic programming and knowledge representation. JLP 19/20, 73--148.Google ScholarGoogle ScholarCross RefCross Ref
  8. Barker, S., Leuschel, M., and Varea, M. 2004. Efficient and flexible access control via logic program specialisation. In Proceedings of the ACM/SIGPLAN Workshop on Partial Evaluation and Semantics-Based Program Manipulation (PEPM'04), 190--199. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Barker, S., Leuschel, M., and Varea, M. 2008. Efficient and flexible access control via Jones optimality logic program specialisation. HOSC, To Appear. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Barker, S. and Stuckey, P. 2003. Flexible access control policy specification with constraint logic programming. In ACM Trans. Inf. Syst. Secur., 6, 4, 501--546. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Becker, M. and Sewell, P. 2004. Cassandra: Distributed access control policies with tunable expressiveness. In Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY'04), 159--168. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Bell, D. E. and LaPadula, L. J. 1976. Secure computer system: Unified exposition and multics interpretation. MITRE-2997.Google ScholarGoogle Scholar
  13. Bertino, E., Bettini, C., Ferrari, E., and Samarati, P. 1998. An access control model supporting periodicity constraints and temporal reasoning. In ACM Trans. Database Syst., 23, 3, 231--285. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Bertino, E., Bonatti, P., and Ferrari, E. 2000. TRBAC: A temporal role-based access control model. In Proceedings of the 5th ACM Workshop on Role-Based Access Control (RBAC'00), 21--30. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Bertino, E., Catania, B., and Zarri, G. 2001. Intelligent Database Systems. Addison Wesley. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Bertino, E., Khan, L. R., Sandhu, R. S., and Thuraisingham, B. 2006. Secure knowledge management: Confidentiality, trust, and privacy. IEEE Transactions on Systems, Man, and Cybernetics, Part A 36, 3, 429--438. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Bonatti, P., Vimercati, S., and Samarati, P. 2002. An algebra for Composing access control policies. In ACM Trans. Inf. Syst. Secur., 5, 1, 1--35. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Brewer, D. F. C. and Nash, M. J. 1989. The Chinese Wall security policy. In IEEE Symposium on Security and Privacy (SP'89), 206--214.Google ScholarGoogle Scholar
  19. Chen, W. and Warren, D. 1996. Tabled evaluation with delaying for general logic programs. Journal of the ACM, 43, 1, 20--74. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Ciao 2004. The Ciao Prolog System.Google ScholarGoogle Scholar
  21. Clark, K. 1978. Negation as failure. In H. Gallaire and J. Minker (Eds.), Logic and Databases, pp. 293--322. Plenum.Google ScholarGoogle Scholar
  22. Clarke, D. E., Elien, J.-E., Ellison, C. M., Fredette, M., Morcos, A., and Rivest, R. L. 2001. Certificate chain discovery in SPKI/SDSI. J. Comput. Secur., 9, 4, 285--322. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Clifford, J., Dyreson, C., Isakowitz, T., Jensen, C., and Snodgrass, R. 1997. On the semantics of “now” in databases. In ACM Trans. Database Syst., 22, 2, 171--214. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Czenko, M., Tran, H., Doumen, J., Etalle, S., Hartel, S., and den Hartog, J. 2005. Nonmonotonic Trust Management for P2P applications. In Proceedings of the 1st International Workshop on Security and Trust Management (STM'05), 101--116.Google ScholarGoogle Scholar
  25. Damiani, E., di Vimercati, S. D. C., Paraboschi, S., and Samarati, P. 2003. Managing and sharing servents' reputations in P2P systems. IEEE Trans. Knowl. Data Eng., 15, 4, 840--854. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Damianou, N., Dulay, N., Lupu, E., and Sloman, M. 2001. The Ponder Policy Specification Language. In Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY'01), Volume 1995 of LNCS, 18--38. Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Davidson, D. 2001. Essays on Actions and Events. Oxford University Press.Google ScholarGoogle Scholar
  28. DeTreville, J. 2002. Binder, a logic-based security language. In Proceedings of the IEEE Symposium on Security and Privacy (SP'02), 105--113. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Dung, P. M. and Thang, P. M. 2004. Trust negotiation with nonmonotonic access policies. In Proceedings of the IFIP Conference on Intelligence in Communication Systems (INTELLCOMM'04), 70--84.Google ScholarGoogle Scholar
  30. Etalle, S. and Gabbrielli, M. 1996. Transformations of clp modules. Theor. Comput. Sci., 166, 101--146. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Ferraiolo, D. F., Sandhu, R. S., Gavrila, S. I., Kuhn, D. R., and Chandramouli, R. 2001. Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur., 4, 3, 224--274. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Fitting, M. C. 1990. Bilattices in logic programming. In G. Epstein (Ed.), 12th International Conference on Multi-Valued Logics, 238--246.Google ScholarGoogle Scholar
  33. Fitting, M. C. 2006. Bi-lattices are nice things, Chapter self-reference. University of Chicago Press.Google ScholarGoogle Scholar
  34. Gelfond, M. and Lifschitz, V. 1988. The stable model semantics for logic programming. In R. Kowalski and K. Bowen (Eds.) In Proceedings of the 5th International Conference and Symposium on Logic Programming (JICSLP'88), MIT Press. 1070--1080.Google ScholarGoogle Scholar
  35. Ginseberg, M. L. 1988. Multi-valued logics. Comput. Intell., 265--316.Google ScholarGoogle Scholar
  36. Herzberg, A., Mass, Y., Mihaeli, J., Naor, D., and Ravid, Y. 2000. Access control meets public key infrastructure, or: Assigning roles to strangers. In Proceedings of the IEEE Symposium on Security and Privacy (SP'00), 2--14. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Horrocks, I., Parsia, B., Patel-Schneider, P. F., and Hendler, J. A. 2005. Semantic Web architecture: Stack or two towers? In Proceedings of the Conference on Principles and Practice of Semantic Web Reasoning (PPSWR'05), 37--41. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Jajodia, S., Samarati, P., Sapino, M., and Subrahmaninan, V. 2001. Flexible support for multiple access control policies. In ACM Trans. Database Syst., 26, 2, 214--260. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Jim, T. 2001. SD3: A trust management system with certified evaluation. In Proceedings of the IEEE Symposium on Security and Privacy (SP'01), 106--115. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Joshi, J., Bertino, E., Latif, U., and Ghafoor, A. 2005. A generalized temporal role-based access control model. IEEE Trans. Knowl. Data Eng., 17, 1, 4--23. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Kagal, L., Finin, T., and Johshi, A. 2003. A policy language for pervasive computing environment. In Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY'03), 63--78. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Kowalski, R. and Sergot, M. 1986. A logic-based calculus of events. New Generation Comput., 4, 1, 67--95. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Li, N., Grosof, B. N., and Feigenbaum, J. 2003. Delegation logic: A logic-based approach to distributed authorization. In ACM Trans. Inf. Syst. Secur., 6, 1, 128--171. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Li, N., Mitchell, J. C., and Winsborough, W. H. 2002. Design of a role-based trust-management framework. In Proceedings of the IEEE Symposium on Security and Privacy (SP'02), 114--130. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Lloyd, J. 1987. Foundations of Logic Programming. Springer-Verlag. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Maher, M. J. 1993. A transformation system for deductive database modules with perfect model semantics. Theor. Comput. Sci., 110, 377--403. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Mobasher, B., Pigozzi, D., Slutzki, G., and Voutsadakis, G. 2000. A duality theory for bilattices. Algebra Universalis, 43, 109--125.Google ScholarGoogle ScholarCross RefCross Ref
  48. OASIS 2003. eXtensible Access Control Markup language (XACML). Retrieved from http://www.oasis-open.org/xacml/docs/.Google ScholarGoogle Scholar
  49. Park, J. and Sandhu, R. 2004. The UCONabc usage control model. In ACM Trans. Inf. Syst. Secur., 7, 1, 128--174. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Patton, M. and Josang, A. 2004. Technologies for trust in e-commerce. E-Commerce Res., 4, 1--2, 9--21. Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Ruohomaa, S. and Kutvonen, L. 2005. Trust management survey. In Proceedings of the 3rd International Workshop on Trust Management (iTrust'05), pp. 77--92. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Sandhu, R., Coyne, E., Feinstein, H., and Youman, C. 1996. Role-based access control models. IEEE Computer, 29, 2, 38--47. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. Tamaki, H. and Sato, T. 1984. Unfold/fold transformation of logic programs. In Proceedings of the Second International Logic Programming Conference (ICLP'84), 127--138.Google ScholarGoogle Scholar
  54. Uszok, A., Bradshaw, M., and Jeffers, R. 2004. KAoS semantic policy and domain services. In Proceedings of the 2nd International Workshop on Trust Management (iTrust'04), pp. 16--26.Google ScholarGoogle Scholar
  55. van Gelder, A. 1993. The alternating fixpoint of logic programs with negation. J. Comput. Syst. Sci., 47, 1, 185--221. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. Wang, L., Wijesekera, D., and Jajodia, S. 2004. A logic-based framework for attribute based access control. In Proceedings of the ACM Workshop on Formal Methods in Security Engineering (FMSE'04), 45--55. Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. Wijesekera, D. and Jajodia, S. 2001. Policy algebras for access control: the propositional case. In ACM Conference on Computer and Communications Security (CCS'01), Philadelphia, PA, 38--47. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Wijesekera, D. and Jajodia, S. 2002. Policy algebras for access control the predicate case. In IEEE ACM Conference on Computer and Communications Security (CCS'02), Washington, DC, USA, 171--180. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Woo, T. Y. C. and Lam, S. S. 1993. Authorizations in distributed systems: A new approach. J. Comput. Secur., 2, 2-3, 107--136.Google ScholarGoogle ScholarCross RefCross Ref
  60. Zhang, X., Parisi-Presicce, F., Sandhu, R. S., and Park, J. 2005. Formal model and policy specification of usage control. ACM Trans. Inf. Syst. Secur., 8, 4, 351--387. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Status-Based Access Control

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          • Published in

            cover image ACM Transactions on Information and System Security
            ACM Transactions on Information and System Security  Volume 12, Issue 1
            October 2008
            230 pages
            ISSN:1094-9224
            EISSN:1557-7406
            DOI:10.1145/1410234
            Issue’s Table of Contents

            Copyright © 2008 ACM

            Publisher

            Association for Computing Machinery

            New York, NY, United States

            Publication History

            • Published: 1 October 2008
            • Revised: 1 February 2008
            • Accepted: 1 February 2008
            • Received: 1 July 2004
            Published in tissec Volume 12, Issue 1

            Permissions

            Request permissions about this article.

            Request Permissions

            Check for updates

            Qualifiers

            • research-article
            • Research
            • Refereed

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!