Abstract
This paper presents a formal framework to represent and manage advanced policy rules, which incorporate the notions of provision and obligation. Provisions are those conditions that need to be satisfied or actions that must be performed by a user or an agent before a decision is rendered, while obligations are those conditions or actions that must be fulfilled by either the user or agent or by the system itself within a certain period of time after the decision. This paper proposes a specific formalism to express provisions and obligations within a policy and investigates a reasoning mechanism within this framework. A policy decision may be supported by more than one rule-based derivation, each associated with a potentially different set of provisions and obligations (called a global PO set). The reasoning mechanism can derive all the global PO sets for each specific policy decision and facilitates the selection of the best one based on numerical weights assigned to provisions and obligations as well as on semantic relationships among them. The formal results presented in the paper hold for many applications requiring the specification of policies, but this paper illustrates the use of the proposed policy framework in the security domain only.
Similar content being viewed by others
References
Aberer K, Wombacher A (2001) A language for information commerce processes. In: 3rd international workshop on advanced issues of e-commerce and Web-based information systems, June 2001
Agrawal R, Cochrane R, Lindsay BG (1991) On maintaining priorities in a production rule system. In: Proc. international conference on very large data bases, pp 479–487
Balze M, Feigenbaum J, Lacy J (1996) Decentralized trust management. In: IEEE 17th symposium on security and privacy
Balze M, Feigenbaum J, Staauss M (1998) Compliance Checking in the PolicyMaker trust management system. In: Proc. Financial Crypto’98. Lecture notes in computer science, vol 1465. Springer, Berlin Heidelberg New York
Bettini C, Jajodia S, Sean Wang X, Wijesekera D (2002) Obligation monitoring in policy management. In: IEEE 3rd international workshop on policies for distributed systems and networks, June 2002
Bertino E, Bettini C, Ferrari E, Samarati P (1998) An access control model supporting periodicity constraints and temporal reasoning. ACM Trans Database Syst 23(3):231–285
Bettini C, Jajodia S, Wang X (2000) Time granularities in databases, temporal reasoning, and data mining. Springer, Berlin Heidelberg New York
Bettini C, Wang XS, Jajodia S (2002) Solving multi-granularity temporal constraint networks. Artif Intell 140(1–2):107–152
Chomicki J, Lobo J (2001) Monitors for history-based policies. In: [24]
Dechter R, Meiri I, Pearl J (1991) Temporal constraint networks. Artif Intell 49:61–95
Damianou N, Dulay N, Lupu E, Sloman M (2001) The Ponder Policy Specification Language. In: [24]
Gries D (1981) The science of programming. Springer, Berlin Heidelberg New York
Genesereth M, Nilsson N (1987) Logical foundations of artificial intelligence. Morgan Kaufmann, San Francisco
Jajodia S, Kudo M, Subrahmanian VS (2001) Provisional authorizations. In: Gosh A (ed) E-commerce security and privacy. Kluwer, Dordrecht, pp 133–159
Jajodia S, Samarati P, Sapino ML, Subrahmanian VS (2001) Flexible support for multiple access control policies. ACM Trans Database Syst 26(2):214–260
Kagal L, Finin T, Joshi A (2001) Trust-based security in pervasive computing environments. In: IEEE Comput 34(12):154–157
Kagal L, Undercoffer J, Perich F, Joshi A, Finin T (2002) A security architecture for pervasive computing systems. In: Grace Hopper Celebration of Women in Computing 2002
Kudo M, Hada S (2000) XML document security based on provisional authorization. In: Proc. 7th ACM conference on computer and communications security, pp 87–96
Liskov BH, Wing JM (1994) A behavioral notion of subtyping. ACM Trans Programm Lang Syst 16(6):1811–1841
Lobo J, Bhatia R, Naqvi S (1999) A policy description language. In: Proc. national conference of the American Association for Artificial Intelligence, Orlando, FL
NIH Policy on Data Sharing. grants2.nih.gov/grants/policy/data__sharing/
Przymusinski T (1988) On the declarative semantics of deductive databases and logic programs. In: Minker J (ed) Foundations of deductive databases. Morgan Kaufmann, San Mateo, pp 193–216
Samarati P, Bertino E, Jajodia S (1996) An authorization model for a distributed hypertext system. IEEE Trans Knowl Data Eng 8(4):555–562
Sloman M, Lobo J, Lupu E (eds) (2001) In: Proc. international workshop on policies for distributed systems and networks (POLICY 2001). Lecture notes in computer science, vol 1995. Springer, Berlin Heidelberg New York
Schneider FB (2000) Enforceable security policies. ACM Trans Inf Syst Secur 3(1):30–50
Smith K, Jajodia S, Swarup V, Hoyt J, Hamilton G, Faatz D, Cornett T (2004) Enabling the sharing of neuroimaging data through well-defined intermediate levels of visibility. NeuroImages 22(4):1646–1656
Ullman JD (1988) Principles of database and knowledge-base systems. Computer Science Press, Rockville, MD
Wieringa RJ, Meyer J-JC (1993) Applications of Deontic logic in computer science: a concise overview. In: Deontic logic in computer science: normative system specification, Wiley, New York, pp 17–40
Woo TYC, Lam SS (1993) Authorizations in distributed systems: a new approach. J Comput Secur 2(2–3):107–136
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Bettini, C., Jajodia, S., Wang, X. et al. Reasoning with advanced policy rules and its application to access control. Int J Digit Libr 4, 156–170 (2004). https://doi.org/10.1007/s00799-004-0078-8
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00799-004-0078-8