Usage Control: A Vision for Next Generation Access Control

The term usage control (UCON) is a generalization of access control to cover obligations, conditions, continuity (ongoing controls) and mutability. Traditionally, access control has dealt only with authorization decisions on a subject’s access to target resources. Obligations are requirements that have to be fulfilled by the subject for allowing access. Conditions are subject and object-independent environmental requirements that have to be satisfied for access. In today’s highly dynamic, distributed environment, obligations and conditions are also crucial decision factors for richer and finer controls on usage of digital resources. Traditional authorization decisions are generally made at the time of request but typically do not recognize ongoing controls for relatively long-lived access or for immediate revocation. Moreover, mutability issues that deal with updates on related subject or object attributes as a consequence of access have not been systematically studied. In this paper we motivate the need for usage control, define a family of ABC models as a core model for usage control and show how it encompasses traditional access control, such as mandatory, discretionary and role-based access control, and more recent requirements such as trust management, and digital rights management. In addition, we also discuss architectures that introduce a new reference monitor for usage control and some variations.