skip to main content
research-article

Status-Based Access Control

Published: 01 October 2008 Publication History

Abstract

Despite their widespread adoption, Role-based Access Control (RBAC) models exhibit certain shortcomings that make them less than ideal for deployment in, for example, distributed access control. In the distributed case, standard RBAC assumptions (e.g., of relatively static access policies, managed by human users, with complete information available about users and job functions) do not necessarily apply. Moreover, RBAC is restricted in the sense that it is based on one type of ascribed status, an assignment of a user to a role. In this article, we introduce the status-based access control (SBAC) model for distributed access control. The SBAC model (or family of models) is based on the notion of users having an action status as well as an ascribed status. A user's action status is established, in part, from a history of events that relate to the user; this history enables changing access policy requirements to be naturally accommodated. The approach can be implemented as an autonomous agent that reasons about the events, actions, and a history (of events and actions), which relates to a requester for access to resources, in order to decide whether the requester is permitted the access sought. We define a number of algebras for composing SBAC policies, algebras that exploit the language that we introduce for SBAC policy representation: identification-based logic programs. The SBAC model is richer than RBAC models and the policies that can be represented in our approach are more expressive than the policies admitted by a number of monotonic languages that have been hitherto described for representing distributed access control requirements. Our algebras generalize existing algebras that have been defined for access policy composition. We also describe an approach for the efficient implementation of SBAC policies.

References

[1]
Abadi, M., Burrows, M., Lampson, B. W., and Plotkin, G. D. 1993. A calculus for access control in distributed systems. ACM Trans. Program. Lang. Syst., 15, 4, 706--734.
[2]
Antoniou, G. and van Harmelen, F. 2004. A Semantic Web Primer. MIT Press.
[3]
Apt, K. 1997. From Logic Programming to Prolog. Prentice Hall.
[4]
Apt, K. and Bezem, M. 1991. Acyclic programs. New Generation Comput., 9, 3/4, 335--364.
[5]
Apt, K. R. and Blair, H. 1990. Arithmetic classification of perfect models of stratified programs. XIII, 1--17.
[6]
Bacon, J., Moody, K., and Yao, W. 2002. A model of OASIS RBAC and its support for active security. ACM Trans. Inf. Syst. Secur., 5, 4, 492--540.
[7]
Baral, C. and Gelfond, M. 1994. Logic programming and knowledge representation. JLP 19/20, 73--148.
[8]
Barker, S., Leuschel, M., and Varea, M. 2004. Efficient and flexible access control via logic program specialisation. In Proceedings of the ACM/SIGPLAN Workshop on Partial Evaluation and Semantics-Based Program Manipulation (PEPM'04), 190--199.
[9]
Barker, S., Leuschel, M., and Varea, M. 2008. Efficient and flexible access control via Jones optimality logic program specialisation. HOSC, To Appear.
[10]
Barker, S. and Stuckey, P. 2003. Flexible access control policy specification with constraint logic programming. In ACM Trans. Inf. Syst. Secur., 6, 4, 501--546.
[11]
Becker, M. and Sewell, P. 2004. Cassandra: Distributed access control policies with tunable expressiveness. In Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY'04), 159--168.
[12]
Bell, D. E. and LaPadula, L. J. 1976. Secure computer system: Unified exposition and multics interpretation. MITRE-2997.
[13]
Bertino, E., Bettini, C., Ferrari, E., and Samarati, P. 1998. An access control model supporting periodicity constraints and temporal reasoning. In ACM Trans. Database Syst., 23, 3, 231--285.
[14]
Bertino, E., Bonatti, P., and Ferrari, E. 2000. TRBAC: A temporal role-based access control model. In Proceedings of the 5th ACM Workshop on Role-Based Access Control (RBAC'00), 21--30.
[15]
Bertino, E., Catania, B., and Zarri, G. 2001. Intelligent Database Systems. Addison Wesley.
[16]
Bertino, E., Khan, L. R., Sandhu, R. S., and Thuraisingham, B. 2006. Secure knowledge management: Confidentiality, trust, and privacy. IEEE Transactions on Systems, Man, and Cybernetics, Part A 36, 3, 429--438.
[17]
Bonatti, P., Vimercati, S., and Samarati, P. 2002. An algebra for Composing access control policies. In ACM Trans. Inf. Syst. Secur., 5, 1, 1--35.
[18]
Brewer, D. F. C. and Nash, M. J. 1989. The Chinese Wall security policy. In IEEE Symposium on Security and Privacy (SP'89), 206--214.
[19]
Chen, W. and Warren, D. 1996. Tabled evaluation with delaying for general logic programs. Journal of the ACM, 43, 1, 20--74.
[20]
Ciao 2004. The Ciao Prolog System.
[21]
Clark, K. 1978. Negation as failure. In H. Gallaire and J. Minker (Eds.), Logic and Databases, pp. 293--322. Plenum.
[22]
Clarke, D. E., Elien, J.-E., Ellison, C. M., Fredette, M., Morcos, A., and Rivest, R. L. 2001. Certificate chain discovery in SPKI/SDSI. J. Comput. Secur., 9, 4, 285--322.
[23]
Clifford, J., Dyreson, C., Isakowitz, T., Jensen, C., and Snodgrass, R. 1997. On the semantics of “now” in databases. In ACM Trans. Database Syst., 22, 2, 171--214.
[24]
Czenko, M., Tran, H., Doumen, J., Etalle, S., Hartel, S., and den Hartog, J. 2005. Nonmonotonic Trust Management for P2P applications. In Proceedings of the 1st International Workshop on Security and Trust Management (STM'05), 101--116.
[25]
Damiani, E., di Vimercati, S. D. C., Paraboschi, S., and Samarati, P. 2003. Managing and sharing servents' reputations in P2P systems. IEEE Trans. Knowl. Data Eng., 15, 4, 840--854.
[26]
Damianou, N., Dulay, N., Lupu, E., and Sloman, M. 2001. The Ponder Policy Specification Language. In Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY'01), Volume 1995 of LNCS, 18--38. Springer.
[27]
Davidson, D. 2001. Essays on Actions and Events. Oxford University Press.
[28]
DeTreville, J. 2002. Binder, a logic-based security language. In Proceedings of the IEEE Symposium on Security and Privacy (SP'02), 105--113.
[29]
Dung, P. M. and Thang, P. M. 2004. Trust negotiation with nonmonotonic access policies. In Proceedings of the IFIP Conference on Intelligence in Communication Systems (INTELLCOMM'04), 70--84.
[30]
Etalle, S. and Gabbrielli, M. 1996. Transformations of clp modules. Theor. Comput. Sci., 166, 101--146.
[31]
Ferraiolo, D. F., Sandhu, R. S., Gavrila, S. I., Kuhn, D. R., and Chandramouli, R. 2001. Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur., 4, 3, 224--274.
[32]
Fitting, M. C. 1990. Bilattices in logic programming. In G. Epstein (Ed.), 12th International Conference on Multi-Valued Logics, 238--246.
[33]
Fitting, M. C. 2006. Bi-lattices are nice things, Chapter self-reference. University of Chicago Press.
[34]
Gelfond, M. and Lifschitz, V. 1988. The stable model semantics for logic programming. In R. Kowalski and K. Bowen (Eds.) In Proceedings of the 5th International Conference and Symposium on Logic Programming (JICSLP'88), MIT Press. 1070--1080.
[35]
Ginseberg, M. L. 1988. Multi-valued logics. Comput. Intell., 265--316.
[36]
Herzberg, A., Mass, Y., Mihaeli, J., Naor, D., and Ravid, Y. 2000. Access control meets public key infrastructure, or: Assigning roles to strangers. In Proceedings of the IEEE Symposium on Security and Privacy (SP'00), 2--14.
[37]
Horrocks, I., Parsia, B., Patel-Schneider, P. F., and Hendler, J. A. 2005. Semantic Web architecture: Stack or two towers? In Proceedings of the Conference on Principles and Practice of Semantic Web Reasoning (PPSWR'05), 37--41.
[38]
Jajodia, S., Samarati, P., Sapino, M., and Subrahmaninan, V. 2001. Flexible support for multiple access control policies. In ACM Trans. Database Syst., 26, 2, 214--260.
[39]
Jim, T. 2001. SD3: A trust management system with certified evaluation. In Proceedings of the IEEE Symposium on Security and Privacy (SP'01), 106--115.
[40]
Joshi, J., Bertino, E., Latif, U., and Ghafoor, A. 2005. A generalized temporal role-based access control model. IEEE Trans. Knowl. Data Eng., 17, 1, 4--23.
[41]
Kagal, L., Finin, T., and Johshi, A. 2003. A policy language for pervasive computing environment. In Proceedings of the International Workshop on Policies for Distributed Systems and Networks (POLICY'03), 63--78.
[42]
Kowalski, R. and Sergot, M. 1986. A logic-based calculus of events. New Generation Comput., 4, 1, 67--95.
[43]
Li, N., Grosof, B. N., and Feigenbaum, J. 2003. Delegation logic: A logic-based approach to distributed authorization. In ACM Trans. Inf. Syst. Secur., 6, 1, 128--171.
[44]
Li, N., Mitchell, J. C., and Winsborough, W. H. 2002. Design of a role-based trust-management framework. In Proceedings of the IEEE Symposium on Security and Privacy (SP'02), 114--130.
[45]
Lloyd, J. 1987. Foundations of Logic Programming. Springer-Verlag.
[46]
Maher, M. J. 1993. A transformation system for deductive database modules with perfect model semantics. Theor. Comput. Sci., 110, 377--403.
[47]
Mobasher, B., Pigozzi, D., Slutzki, G., and Voutsadakis, G. 2000. A duality theory for bilattices. Algebra Universalis, 43, 109--125.
[48]
OASIS 2003. eXtensible Access Control Markup language (XACML). Retrieved from http://www.oasis-open.org/xacml/docs/.
[49]
Park, J. and Sandhu, R. 2004. The UCONabc usage control model. In ACM Trans. Inf. Syst. Secur., 7, 1, 128--174.
[50]
Patton, M. and Josang, A. 2004. Technologies for trust in e-commerce. E-Commerce Res., 4, 1--2, 9--21.
[51]
Ruohomaa, S. and Kutvonen, L. 2005. Trust management survey. In Proceedings of the 3rd International Workshop on Trust Management (iTrust'05), pp. 77--92.
[52]
Sandhu, R., Coyne, E., Feinstein, H., and Youman, C. 1996. Role-based access control models. IEEE Computer, 29, 2, 38--47.
[53]
Tamaki, H. and Sato, T. 1984. Unfold/fold transformation of logic programs. In Proceedings of the Second International Logic Programming Conference (ICLP'84), 127--138.
[54]
Uszok, A., Bradshaw, M., and Jeffers, R. 2004. KAoS semantic policy and domain services. In Proceedings of the 2nd International Workshop on Trust Management (iTrust'04), pp. 16--26.
[55]
van Gelder, A. 1993. The alternating fixpoint of logic programs with negation. J. Comput. Syst. Sci., 47, 1, 185--221.
[56]
Wang, L., Wijesekera, D., and Jajodia, S. 2004. A logic-based framework for attribute based access control. In Proceedings of the ACM Workshop on Formal Methods in Security Engineering (FMSE'04), 45--55.
[57]
Wijesekera, D. and Jajodia, S. 2001. Policy algebras for access control: the propositional case. In ACM Conference on Computer and Communications Security (CCS'01), Philadelphia, PA, 38--47.
[58]
Wijesekera, D. and Jajodia, S. 2002. Policy algebras for access control the predicate case. In IEEE ACM Conference on Computer and Communications Security (CCS'02), Washington, DC, USA, 171--180.
[59]
Woo, T. Y. C. and Lam, S. S. 1993. Authorizations in distributed systems: A new approach. J. Comput. Secur., 2, 2-3, 107--136.
[60]
Zhang, X., Parisi-Presicce, F., Sandhu, R. S., and Park, J. 2005. Formal model and policy specification of usage control. ACM Trans. Inf. Syst. Secur., 8, 4, 351--387.

Cited By

View all
  • (2024)Category-Based Administrative Access Control PoliciesACM Transactions on Privacy and Security10.1145/369819928:1(1-35)Online publication date: 28-Sep-2024
  • (2020)Admin-CBACProceedings of the Tenth ACM Conference on Data and Application Security and Privacy10.1145/3374664.3375725(73-84)Online publication date: 16-Mar-2020
  • (2020)EVL: A Typed Higher-order Functional Language for EventsElectronic Notes in Theoretical Computer Science10.1016/j.entcs.2020.08.002351(3-23)Online publication date: Sep-2020
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security
ACM Transactions on Information and System Security  Volume 12, Issue 1
October 2008
230 pages
ISSN:1094-9224
EISSN:1557-7406
DOI:10.1145/1410234
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 October 2008
Accepted: 01 February 2008
Revised: 01 February 2008
Received: 01 July 2004
Published in TISSEC Volume 12, Issue 1

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. algebras
  2. distributed security
  3. logic
  4. status-based access control

Qualifiers

  • Research-article
  • Research
  • Refereed

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)8
  • Downloads (Last 6 weeks)1
Reflects downloads up to 20 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Category-Based Administrative Access Control PoliciesACM Transactions on Privacy and Security10.1145/369819928:1(1-35)Online publication date: 28-Sep-2024
  • (2020)Admin-CBACProceedings of the Tenth ACM Conference on Data and Application Security and Privacy10.1145/3374664.3375725(73-84)Online publication date: 16-Mar-2020
  • (2020)EVL: A Typed Higher-order Functional Language for EventsElectronic Notes in Theoretical Computer Science10.1016/j.entcs.2020.08.002351(3-23)Online publication date: Sep-2020
  • (2020)A novel predicate based access control scheme for cloud environment using open stack swift storagePeer-to-Peer Networking and Applications10.1007/s12083-020-00961-yOnline publication date: 26-Jul-2020
  • (2019)Specification and Analysis of ABAC Policies via the Category-based MetamodelProceedings of the Ninth ACM Conference on Data and Application Security and Privacy10.1145/3292006.3300033(173-184)Online publication date: 13-Mar-2019
  • (2019)Smart Virtual Care Centers in the Context of Performance and Privacy2019 15th International Conference on Telecommunications (ConTEL)10.1109/ConTEL.2019.8848553(1-8)Online publication date: Jul-2019
  • (2016)Cloud Multidomain Access Control Model Based on Role and Trust-DegreeJournal of Electrical and Computer Engineering10.1155/2016/98205902016Online publication date: 1-Apr-2016
  • (2015)A Typed Language for EventsRevised Selected Papers of the 25th International Symposium on Logic-Based Program Synthesis and Transformation - Volume 952710.1007/978-3-319-27436-2_7(107-123)Online publication date: 13-Jul-2015
  • (2015)Access Control and Obligations in the Category-Based Metamodel: A Rewrite-Based SemanticsLogic-Based Program Synthesis and Transformation10.1007/978-3-319-17822-6_9(148-163)Online publication date: 23-Apr-2015
  • (2013)Access Control in Service CompositionsService-Driven Approaches to Architecture and Enterprise Integration10.4018/978-1-4666-4193-8.ch007(165-187)Online publication date: 2013
  • Show More Cited By

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media