Role Based Access Control with Spatiotemporal Context for Mobile Applications

Role based access control (RBAC) is an established paradigm in resource protection. However, with the proliferation of mobile computing, it is being frequently observed that the RBAC access decision is directly influenced by the spatiotemporal context of both the subjects and the objects in the system. Currently, there are only a few models (STRBAC, GSTRBAC) in place which specify spatiotemporal security policy on top of the classical RBAC. In this paper we propose a complete RBAC model in spatiotemporal domain based on the idea of spatiotemporal extent. The concept of spatiotemporal role extent and spatiotemporal permission extent introduced here enables our model to specify granular spatiotemporal access control policies not specifiable in the existing approaches. Our model is also powerful enough to incorporate classical role hierarchy and other useful RBAC policies including Role based Separation of Duty and Permission based Separation of Duty in spatiotemporal domain. Healthcare is an area in which information security is of utmost importance. The risk of personal medical data leakage is especially high in mobile healthcare applications. As a proof of concept, we have implemented the proposed spatiotemporal access control method in a mobile telemedicine system.

[1]  Elisa Bertino,et al.  GEO-RBAC: a spatially aware RBAC , 2005, SACMAT '05.

[2]  Manachai Toahchoodee,et al.  A Spatio-temporal Role-Based Access Control Model , 2007, DBSec.

[3]  A. McAlearney,et al.  Doctors' experience with handheld computers in clinical practice: qualitative study , 2004, BMJ : British Medical Journal.

[4]  Elisa Bertino,et al.  An access control model supporting periodicity constraints and temporal reasoning , 1998, TODS.

[5]  Elisa Bertino,et al.  A generalized temporal role-based access control model , 2005, IEEE Transactions on Knowledge and Data Engineering.

[6]  Gregory D. Abowd,et al.  Securing context-aware applications using environment roles , 2001, SACMAT '01.

[7]  Vladimir A. Oleshchuk,et al.  Spatial role-based access control model for wireless networks , 2003, 2003 IEEE 58th Vehicular Technology Conference. VTC 2003-Fall (IEEE Cat. No.03CH37484).

[8]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[9]  Zahir Tari,et al.  On the Move to Meaningful Internet Systems 2007: CoopIS, DOA, ODBASE, GADA, and IS, OTM Confederated International Conferences CoopIS, DOA, ODBASE, GADA, and IS 2007, Vilamoura, Portugal, November 25-30, 2007, Proceedings, Part II , 2007, OTM Conferences.

[10]  Tony Delamothe,et al.  Open access publishing takes off , 2004, BMJ : British Medical Journal.

[11]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[12]  C. Schoen,et al.  On the front lines of care: primary care doctors' office systems, experiences, and views in seven countries. , 2006, Health affairs.

[13]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[14]  Shamik Sural,et al.  STARBAC: Spatio temporal Role Based Access C ontrol , 2007, OTM Conferences.

[15]  Vijayalakshmi Atluri,et al.  A geotemporal role-based authorisation system , 2007, Int. J. Inf. Comput. Secur..

[16]  Elisa Bertino,et al.  TRBAC , 2001, ACM Trans. Inf. Syst. Secur..

[17]  Indrakshi Ray,et al.  LRBAC: A Location-Aware Role-Based Access Control Model , 2006, ICISS.

[18]  Ravi S. Sandhu,et al.  Role activation hierarchies , 1998, RBAC '98.