Abstract
The purpose based access control model has been proposed recently to restrict the access to the sensitive data which are out of control of their owner. This model can be enforced by ensuring that the user who wants to access the private data will respect the specific plan of tasks/actions that leads to achieving the intended objective to use these data. The Organization Based Access Control (OrBAC) model is suitable to integrate this principle, but in a dynamic environment such as the cloud computing, the authorization rules should be expressed in flexible way, and they may include optional tasks which can be skipped in some cases in order to adapt temporarily to the changes in the context. To meet these requirements, we propose in this paper a new extension of the OrBAC model using the temporal nonmonotonic description logic (\(\textit {TL-JClassic}^{+}_{\delta \epsilon }\)) that allows to represent formally the policy rules as hierarchical planning that includes a set of ordered tasks that may admit exceptions in special cases and when the access request is made, the access control system depending on the current context will infer dynamically the appropriate sequence of actions that can be performed by subject who demands access to private data that may be outsourced into the cloud.
Similar content being viewed by others
Notes
b 0is a constant used as a denotation of ⊥.
References
Allen JF (1983) Maintaining knowledge about temporal intervals. Commun ACM 26(11):832–843
Artale A, Franconi E (1998) A temporal description logic for reasoning about actions and plans. J Artif Intell Res 9:463–506
Artale A, Franconi E (2000) A survey of temporal extensions of description logics. Ann Math Artif Intell 30(1-4):171–210
Artale A, Franconi E (2005) Temporal description logics. Handbook of Time and Temporal Reasoning in Artificial Intelligence 1
Baader F, Hollunder B (1995) Embedding defaults into terminological knowledge representation formalisms. J Autom Reason 14(1):149–180
Baader F, Horrocks I, Sattler U (2009) Description logics. In: Handbook on Ontologies. Springer, pp 21–43
Benferhat S, Tolba M, Tabia K, Belkhir A (2016) Representing sequences of actions in access control security policies. In: Proceedings of the 1st International Workshop on AI for Privacy and Security. ACM, p 5
Benferhat S, Tolba M, Tabia K et al (2016) Integrating non elementary actions in access control models. In: Proceedings of the 9th International Conference on Security of Inform ation and Networks. ACM, pp 28–31
Bettaz O, Boustia N, Mokhtari A (2013) Extending nonmonotonic description logic with temporal aspects. In: 2013 IEEE International Symposium on Innovations in intelligent systems and applications (INISTA). IEEE, pp 1–5
Bonatti PA, Samarati P (2004) Logics for authorizations and security. In: Logics for Emerging Applications of Databases. Springer, pp 277–323
Boustia N, Mokhtari A (2010) A contextual multilevel access control model with default and exception description logic. In: 2010 International Conference for Internet technology and secured transactions (ICITST). IEEE, pp 1–6
Boustia N, Mokhtari A (2012) A dynamic access control model. Appl Intell 36(1):190–207
Byun JW, Li N (2006) Purpose based access control for privacy protection in relational database systems. VLDB J 17(4):603– 619
Byun JW, Bertino E, Li N (2005) Purpose based access control of complex data for privacy protection. In: Proceedings of the tenth ACM symposium on Access control models and technologies. ACM, pp 102–110
Casini G, Straccia U (2013) Defeasible inheritance-based description logics. J Artif Intell Res 48:415–473
Cranor L, Langheinrich M, Marchiori M, Presler-Marshall M, Reagle J (2002) The platform for privacy preferences 1.0 (p3p1. 0) specification. W3C recommendation 16
Cuppens F, Miège A (2003) Modelling contexts in the or-bac model. In: Proceedings of 19th applied computer security associates conference (ACSAC 2003), Las Vegas, Nevada. IEEE, pp 416–425
Debruyne R, Bessiere C (1997) From restricted path consistency to max-restricted path consistency. In: Principles and Practice of Constraint Programming-CP97. Springer, pp 312–326
Farzad F, Eric S, Hung PC (2007) Role-based access control requirements model with purpose extension. In: WER, pp 207–216
Jafari M, Safavi-Naini R, Sheppard NP (2009) Enforcing purpose of use via workflows. In: Proceedings of the 8th ACM workshop on Privacy in the electronic society. ACM, pp 113–116
Jafari M, Fong PW, Safavi-Naini R, Barker K, Sheppard NP (2011) Towards defining semantic foundations for purpose-based privacy policies. In: Proceedings of the first ACM conference on Data and application security and privacy. ACM, pp 213–224
Kabir ME, Wang H, Bertino E (2010) A role-involved conditional purpose-based access control model. In: E-government, E-Services and Global Processes. Springer, pp 167–180
Kalam AAE, Baida R, Balbiani P, Benferhat S, Cuppens F, Deswarte Y, Miege A, Saurel C, Trouessin G (2003) Organization based access control. In: 2003 IEEE 4th International Workshop on Policies for Distributed Systems and Networks. Proceedings. POLICY 2003. IEEE, pp 120–131
Krokhin A, Jeavons P, Jonsson P (2003) Reasoning about temporal relations: The tractable subalgebras of allen’s interval algebra. J ACM (JACM) 50(5):591–640
Mackworth AK (1977) Consistency in networks of relations. Artif Intell 8(1):99–118
Mackworth AK, Freuder EC (1985) The complexity of some polynomial network consistency algorithms for constraint satisfaction problems. Artif Intell 25(1):65–74
Mell P, Grance T et al (2011) The nist definition of cloud computing
Nebel B, Bürckert HJ (1995) Reasoning about temporal relations: a maximal tractable subclass of allen’s interval algebra. J ACM (JACM) 42(1):43–66
Ni Q, Lin D, Bertino E, Lobo J (2007) Conditional privacy-aware role based access control. In: Computer Security–ESORICS 2007. Springer, pp 72–89
Ni Q, Bertino E, Lobo J, Brodie C, Karat CM, Karat J, Trombeta A (2010) Privacy-aware role-based access control. ACM Trans Inf Syst Secur (TISSEC) 13(3):24
Padgham L, Nebel B (1993) Combining classification and nonmonotonic inheritance reasoning: A first step. Springer, Berlin
Padgham L, Zhang T (1993) A terminological logic with defaults: a definition and an application. In: IJCAI, vol 93, pp 662–668
Tschantz MC, Datta A, Wing JM (2012) Formalizing and enforcing purpose restrictions in privacy policies. In: 2012 IEEE Symposium on Security and privacy (SP). IEEE, pp 176–190
Vilain MB, Kautz HA (1986) Constraint propagation algorithms for temporal reasoning. In: Aaai, vol 86, pp 377–382
Weida R, Litman D (1994) Subsumption and recognition of heterogeneous constraint networks. In: 1994 Proceedings of the Tenth Conference on Artificial Intelligence for Applications. IEEE, pp 381–388
Weida RA, Litman DJ (1992) Terminological reasoning with constraint networks and an application to plan recognition. KR 92:282–293
Zuniga RA, Festin S (2017) A design for task-role based access control for personal health record systems. Philippine Eng J 38(1)
Author information
Authors and Affiliations
Corresponding author
Appendix
Appendix
In this section, we present the main algorithms that are used to develop \(\textit {TL-JClassic}^{+}_{\delta \epsilon }\) tool:
Rights and permissions
About this article
Cite this article
Guesmia, K., Boustia, N. OrBAC from access control model to access usage model. Appl Intell 48, 1996–2016 (2018). https://doi.org/10.1007/s10489-017-1064-3
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10489-017-1064-3