Skip to main content
SpringerLink
Log in

Reasoning with advanced policy rules and its application to access control

  • Regular contribution
  • Published:
International Journal on Digital Libraries Aims and scope Submit manuscript

Abstract

This paper presents a formal framework to represent and manage advanced policy rules, which incorporate the notions of provision and obligation. Provisions are those conditions that need to be satisfied or actions that must be performed by a user or an agent before a decision is rendered, while obligations are those conditions or actions that must be fulfilled by either the user or agent or by the system itself within a certain period of time after the decision. This paper proposes a specific formalism to express provisions and obligations within a policy and investigates a reasoning mechanism within this framework. A policy decision may be supported by more than one rule-based derivation, each associated with a potentially different set of provisions and obligations (called a global PO set). The reasoning mechanism can derive all the global PO sets for each specific policy decision and facilitates the selection of the best one based on numerical weights assigned to provisions and obligations as well as on semantic relationships among them. The formal results presented in the paper hold for many applications requiring the specification of policies, but this paper illustrates the use of the proposed policy framework in the security domain only.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Aberer K, Wombacher A (2001) A language for information commerce processes. In: 3rd international workshop on advanced issues of e-commerce and Web-based information systems, June 2001

  2. Agrawal R, Cochrane R, Lindsay BG (1991) On maintaining priorities in a production rule system. In: Proc. international conference on very large data bases, pp 479–487

  3. Balze M, Feigenbaum J, Lacy J (1996) Decentralized trust management. In: IEEE 17th symposium on security and privacy

  4. Balze M, Feigenbaum J, Staauss M (1998) Compliance Checking in the PolicyMaker trust management system. In: Proc. Financial Crypto’98. Lecture notes in computer science, vol 1465. Springer, Berlin Heidelberg New York

  5. Bettini C, Jajodia S, Sean Wang X, Wijesekera D (2002) Obligation monitoring in policy management. In: IEEE 3rd international workshop on policies for distributed systems and networks, June 2002

  6. Bertino E, Bettini C, Ferrari E, Samarati P (1998) An access control model supporting periodicity constraints and temporal reasoning. ACM Trans Database Syst 23(3):231–285

  7. Bettini C, Jajodia S, Wang X (2000) Time granularities in databases, temporal reasoning, and data mining. Springer, Berlin Heidelberg New York

  8. Bettini C, Wang XS, Jajodia S (2002) Solving multi-granularity temporal constraint networks. Artif Intell 140(1–2):107–152

  9. Chomicki J, Lobo J (2001) Monitors for history-based policies. In: [24]

  10. Dechter R, Meiri I, Pearl J (1991) Temporal constraint networks. Artif Intell 49:61–95

  11. Damianou N, Dulay N, Lupu E, Sloman M (2001) The Ponder Policy Specification Language. In: [24]

  12. Gries D (1981) The science of programming. Springer, Berlin Heidelberg New York

  13. Genesereth M, Nilsson N (1987) Logical foundations of artificial intelligence. Morgan Kaufmann, San Francisco

  14. Jajodia S, Kudo M, Subrahmanian VS (2001) Provisional authorizations. In: Gosh A (ed) E-commerce security and privacy. Kluwer, Dordrecht, pp 133–159

  15. Jajodia S, Samarati P, Sapino ML, Subrahmanian VS (2001) Flexible support for multiple access control policies. ACM Trans Database Syst 26(2):214–260

  16. Kagal L, Finin T, Joshi A (2001) Trust-based security in pervasive computing environments. In: IEEE Comput 34(12):154–157

  17. Kagal L, Undercoffer J, Perich F, Joshi A, Finin T (2002) A security architecture for pervasive computing systems. In: Grace Hopper Celebration of Women in Computing 2002

  18. Kudo M, Hada S (2000) XML document security based on provisional authorization. In: Proc. 7th ACM conference on computer and communications security, pp 87–96

  19. Liskov BH, Wing JM (1994) A behavioral notion of subtyping. ACM Trans Programm Lang Syst 16(6):1811–1841

  20. Lobo J, Bhatia R, Naqvi S (1999) A policy description language. In: Proc. national conference of the American Association for Artificial Intelligence, Orlando, FL

  21. NIH Policy on Data Sharing. grants2.nih.gov/grants/policy/data__sharing/

  22. Przymusinski T (1988) On the declarative semantics of deductive databases and logic programs. In: Minker J (ed) Foundations of deductive databases. Morgan Kaufmann, San Mateo, pp 193–216

  23. Samarati P, Bertino E, Jajodia S (1996) An authorization model for a distributed hypertext system. IEEE Trans Knowl Data Eng 8(4):555–562

  24. Sloman M, Lobo J, Lupu E (eds) (2001) In: Proc. international workshop on policies for distributed systems and networks (POLICY 2001). Lecture notes in computer science, vol 1995. Springer, Berlin Heidelberg New York

  25. Schneider FB (2000) Enforceable security policies. ACM Trans Inf Syst Secur 3(1):30–50

  26. Smith K, Jajodia S, Swarup V, Hoyt J, Hamilton G, Faatz D, Cornett T (2004) Enabling the sharing of neuroimaging data through well-defined intermediate levels of visibility. NeuroImages 22(4):1646–1656

  27. Ullman JD (1988) Principles of database and knowledge-base systems. Computer Science Press, Rockville, MD

  28. Wieringa RJ, Meyer J-JC (1993) Applications of Deontic logic in computer science: a concise overview. In: Deontic logic in computer science: normative system specification, Wiley, New York, pp 17–40

  29. Woo TYC, Lam SS (1993) Authorizations in distributed systems: a new approach. J Comput Secur 2(2–3):107–136

Download references

Author information

Authors and Affiliations

  1. DICo, Università di Milano, via Comelico 39, 20135, Milan, Italy

    Claudio Bettini

  2. Center for Secure Information Systems, George Mason University, Fairfax, VA, 22030, USA

    Sushil Jajodia & Duminda Wijesekera

  3. Department of Computer Science, University of Vermont, Burlington, VT, 05405, USA

    X. Sean Wang

Authors
  1. Claudio Bettini
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sushil Jajodia
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. X. Sean Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Duminda Wijesekera
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Claudio Bettini.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Bettini, C., Jajodia, S., Wang, X. et al. Reasoning with advanced policy rules and its application to access control. Int J Digit Libr 4, 156–170 (2004). https://doi.org/10.1007/s00799-004-0078-8

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00799-004-0078-8

Keywords

Search

Navigation