A logical language for expressing authorizations

A major drawback of existing access control systems is that they have all been developed with a specific access control policy in mind. This means that all protection requirements (i.e. accesses to be allowed or denied) must be specified in terms of the policy enforced by the system. While this may be trivial for some requirements, specification of other requirements may become quite complex or even impossible. The reason for this is that a single policy simply cannot capture the different protection requirements that users may need to enforce on different data. In this paper, we take a first step towards a model that is able to support different access control policies. We propose a logical language for the specification of authorizations on which such a model can be based. The Authorization Specification Language (ASL) allows users to specify, together with the authorizations, the policy according to which access control decisions are to be made. Policies are expressed by means of rules which enforce the derivation of authorizations, conflict resolution, access control and integrity constraint checking. We illustrate the power of our language by showing how different constraints that are sometimes required, but very seldom supported by existing access control systems, can be represented in our language.

[1]  Teresa F. Lunt,et al.  Access Control Policies for Database Systems , 1988, DBSec.

[2]  Adrian Walker,et al.  Towards a Theory of Declarative Knowledge , 1988, Foundations of Deductive Databases and Logic Programming..

[3]  F. Mayer,et al.  Access meditation in a message passing kernel , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[4]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[5]  Todd Fine,et al.  Assuring Distributed Trusted Mach , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[6]  Simon S. Lam,et al.  Authorizations in Distributed Systems: A New Approach , 1993, J. Comput. Secur..

[7]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[8]  Elisa Bertino,et al.  A Temporal Access Control Mechanism for Database Systems , 1996, IEEE Trans. Knowl. Data Eng..

[9]  Elisa Bertino,et al.  Supporting multiple access control policies in database systems , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[10]  Elisa Bertino,et al.  A unified framework for enforcing multiple access control policies , 1997, SIGMOD '97.