skip to main content
10.1145/2295136.2295144acmconferencesArticle/Chapter ViewAbstractPublication PagessacmatConference Proceedingsconference-collections
research-article

Ensuring authorization privileges for cascading user obligations

Published: 20 June 2012 Publication History

Abstract

User obligations are actions that the human users are required to perform in some future time. These are common in many practical access control and privacy and can depend on and affect the authorization state. Consequently, a user can incur an obligation that she is not authorized to perform which may hamper the usability of a system. To mitigate this problem, previous work introduced a property of the authorization state, accountability, which requires that all the obligatory actions to be authorized when they are attempted. Although, existing work provides a specific and tractable decision procedure for a variation of the accountability property, it makes a simplified assumption that no cascading obligations may happen, i.e., obligatory actions cannot further incur obligations. This is a strong assumption which reduces the expressive power of past models, and thus cannot support many obligation scenarios in practical security and privacy policies. In this work, we precisely specify the strong accountability property in the presence of cascading obligations and prove that deciding it is NP-hard. We provide for several special yet practical cases of cascading obligations (i.e., repetitive, finite cascading, etc.) a tractable decision procedure for accountability. Our experimental results illustrate that supporting such special cases is feasible in practice.

References

[1]
Senate banking committee, Gramm-Leach-Bliley Act, 1999. Public Law 106-102.
[2]
M. Ali, L. Bussard, and U. Pinsdorf. Obligation Language and Framework to Enable Privacy-Aware SOA. In Data Privacy Management and Autonomous Spontaneous Security, volume 5939 of Lecture Notes in Computer Science, pages 18--32. Springer Berlin, Heidelberg, 2010.
[3]
A. Barth, A. Datta, J. C. Mitchell, and H. Nissenbaum. Privacy and contextual integrity: Framework and applications. Security and Privacy, IEEE Symposium on, 0:184--198, 2006.
[4]
C. Bettini, S. Jajodia, X. S. Wang, and D. Wijesekera. Provisions and obligations in policy rule management. J. Netw. Syst. Manage., 11(3):351--372, 2003.
[5]
O. Chowdhury, M. Pontual, W. H. Winsborough, T. Yu, K. Irwin, and J. Niu. Ensuring authorization privileges for cascading user obligations. Technical Report CS-TR-2012-005, UT San Antonio, 2012.
[6]
D. Damianou, N. Dulay, E. Lupu, and M. Sloman. The Ponder Policy Specification Language. In 2nd International Workshop on Policies for Distributed Systems and Networks, Bristol, UK, Jan. 2001. Springer-Verlag.
[7]
D. J. Dougherty, K. Fisler, and S. Krishnamurthi. Obligations and their interaction with programs. In Proceedings of the 12th European Symposium On Research In Computer Security, Dresden, Germany, September 24-26, Proceedings, pages 375--389, 2007.
[8]
Y. Elrakaiby, F. Cuppens, and N. Cuppens-Boulahia. Formal enforcement and management of obligation policies. Data Knowl. Eng., 71:127--147, Jan. 2012.
[9]
D. F. Ferraiolo, R. S. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. ACM Transactions on Information and Systems Security, pages 224--274, Aug. 2001.
[10]
P. Gama and P. Ferreira. Obligation policies: An enforcement platform. In 6th IEEE International Workshop on Policies for Distributed Systems and Networks, Stockholm, Sweden, June 2005. IEEE Computer Society.
[11]
Health Resources and Services Administration. Health insurance portability and accountability act, 1996. Public Law 104-191.
[12]
K. Irwin, T. Yu, and W. H. Winsborough. On the modeling and analysis of obligations. In Proceedings of the 13th ACM conference on Computer and communications security, pages 134--143, New York, NY, USA, 2006. ACM.
[13]
A. J. I. Jones. On the relationship between permission and obligation. In ICAIL '87, New York, NY, USA. ACM.
[14]
N. Li, H. Chen, and E. Bertino. On practical specification and enforcement of obligations. In Proceedings of the second ACM conference on Data and application security and privacy, 2012.
[15]
M. J. May, C. A. Gunter, and I. Lee. Privacy APIs: Access control techniques to analyze and verify legal privacy policies. In CSFW '06, Washington, DC, USA, 2006. IEEE Computer Society.
[16]
L. McCarty. Pemissions and obligations. In Proceedings IJCAI-83, 1983.
[17]
N. H. Minsky and A. D. Lockman. Ensuring integrity by adding obligations to privileges. In Proceedings of the 8th international conference on Software engineering, pages 92--102, Los Alamitos, CA, USA, 1985. IEEE Computer Society Press.
[18]
Q. Ni, E. Bertino, and J. Lobo. An obligation model bridging access control policies and privacy policies. In SACMAT' 08, New York, NY, USA. ACM.
[19]
Q. Ni, A. Trombetta, E. Bertino, and J. Lobo. Privacy-aware role based access control. In Proceedings of the SACMAT'07, New York, NY, USA. ACM.
[20]
M. Pontual, O. Chowdhury, W. Winsborough, T. Yu, and K. Irwin. Toward Practical Authorization Dependent User Obligation Systems. In ASIACCS' 10, pages 180--191. ACM Press, 2010.
[21]
M. Pontual, O. Chowdhury, W. H. Winsborough, T. Yu, and K. Irwin. On the management of user obligations. SACMAT '11, New York, NY, USA. ACM.
[22]
R. S. Sandhu, V. Bhamidipati, and Q. Munawer. The ARBAC97 model for role-based aministration of roles. ACM Transactions on Information and Systems Security, 2(1):105--135, Feb. 1999.
[23]
A. Sasturkar, P. Yang, S. Stoller, and C. Ramakrishnan. Policy analysis for administrative role based access control. In Computer Security Foundations Workshop, 2006. 19th IEEE, 2006.
[24]
S. D. Stoller, P. Yang, C. R. Ramakrishnan, and M. I. Gofman. Efficient policy analysis for administrative role based access control. In CCS '07, New York, NY, USA, 2007. ACM.
[25]
A. Uszok, J. Bradshaw, R. Jeffers, N. Suri, P. Hayes, M. Breedy, L. Bunch, M. Johnson, S. Kulkarni, and J. Lott. Kaos policy and domain services: Toward a description-logic approach to policy representation, deconfliction, and enforcement. In POLICY'03, Washington, DC, USA, 2003. IEEE Computer Society.
[26]
XACML TC. Oasis extensible access control markup language (xacml). http://www.oasis-open.org/committees/xacml/.

Cited By

View all

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SACMAT '12: Proceedings of the 17th ACM symposium on Access Control Models and Technologies
June 2012
242 pages
ISBN:9781450312950
DOI:10.1145/2295136
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 June 2012

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. accountability
  2. authorization
  3. cascading obligations
  4. obligations
  5. rbac

Qualifiers

  • Research-article

Conference

SACMAT '12
Sponsor:

Acceptance Rates

SACMAT '12 Paper Acceptance Rate 19 of 73 submissions, 26%;
Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)4
  • Downloads (Last 6 weeks)0
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2025)Detecting Errors in NGAC Policies via Fault-Based TestingIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.339518722:1(263-278)Online publication date: 1-Jan-2025
  • (2025)Managing Obligation DelegationSecurity and Privacy10.1002/spy2.4898:1Online publication date: 12-Jan-2025
  • (2023)Coverage-Based Testing of Obligations in NGAC SystemsProceedings of the 28th ACM Symposium on Access Control Models and Technologies10.1145/3589608.3593832(169-179)Online publication date: 24-May-2023
  • (2023)Dynamic Access Control with Administrative Obligations: A Case Study2023 IEEE 23rd International Conference on Software Quality, Reliability, and Security Companion (QRS-C)10.1109/QRS-C60940.2023.00071(157-166)Online publication date: 22-Oct-2023
  • (2023)An Incentive Mechanism for Managing Obligation DelegationRisks and Security of Internet and Systems10.1007/978-3-031-31108-6_15(191-206)Online publication date: 14-May-2023
  • (2013)Privacy promises that can be keptProceedings of the 18th ACM symposium on Access control models and technologies10.1145/2462410.2462423(3-14)Online publication date: 12-Jun-2013
  • (2013)Beyond accountabilityProceedings of the 18th ACM symposium on Access control models and technologies10.1145/2462410.2462411(213-224)Online publication date: 12-Jun-2013

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media