Monotonic and Non-monotonic Context Delegation

Delegating access privileges is a common practice of access control mechanisms. Delegation is usually used for distributing responsibilities of task management among entities. Delegation comes in two forms, GRANT and TRANSFER. In GRANT delegation, a successful delegation operation allows delegated privileges to be available to both the delegator and delegatee. In TRANSFER delegation, delegated privileges are no longer available to the delegator. Although several delegation approaches have been proposed, current models do not consider the issue of context delegation in context-based access control policies. We present two ontology-based context delegation approaches. Monotonic context delegation, which adopts GRANT version of delegation, and non-monotonic for TRANSFER version of delegation. The approach presented here provides a dynamic and adaptive privilege delegation for access control policies. We employ Description logic (DL) and Logic Programming (LP) technologies for modeling contexts, delegation and CBAC privileges. We have designed three lightweight Web Ontology Language (OWL) ontologies, CTX, CBAC, and DEL, for context, Context-Based Access Control (CBAC), and delegation, respectively. We show that semantic-based techniques can be used to support adaptive and dynamic context delegation for CBAC policies. We provide the formal framework of the approaches and show that they are sound, consistent and preserve least-privilege principle.

[1]  Paolo Bellavista,et al.  Context Awareness for Adaptive Access Control Management in IoT Environments , 2017 .

[2]  Diego Calvanese,et al.  The Description Logic Handbook: Theory, Implementation, and Applications , 2003, Description Logic Handbook.

[3]  Jason Crampton,et al.  Delegation in role-based access control , 2007, International Journal of Information Security.

[4]  Lalana Kagal,et al.  Self-describing delegation networks for the Web , 2006, Seventh IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'06).

[5]  Csilla Farkas,et al.  Context Delegation for Context-Based Access Control , 2018, Nemesis/UrbReas/SoGood/IWAISe/GDM@PKDD/ECML.

[6]  Elisa Bertino,et al.  A Trust-Based Context-Aware Access Control Model for Web-Services , 2004, Proceedings. IEEE International Conference on Web Services, 2004..

[7]  Lalana Kagal,et al.  A Semantic Context-Aware Access Control Framework for Secure Collaborations in Pervasive Computing Environments , 2006, SEMWEB.

[8]  Sylvia L. Osborn,et al.  Strategies for Incorporating Delegation into Attribute-Based Access Control (ABAC) , 2016, FPS.

[9]  Yu Cheng,et al.  A Semantic Context-Based Model for Mobile Web Services Access Control , 2011 .

[10]  Gail-Joon Ahn,et al.  A rule-based framework for role based delegation , 2001, SACMAT '01.

[11]  Fred B. Schneider,et al.  Least Privilege and More , 2003, IEEE Secur. Priv..

[12]  Boris Motik,et al.  Query Answering for OWL-DL with Rules , 2004, International Semantic Web Conference.

[13]  Anand R. Tripathi,et al.  Context-aware role-based access control in pervasive computing systems , 2008, SACMAT '08.

[14]  Domenico Rotondi,et al.  A capability-based security approach to manage access control in the Internet of Things , 2013, Math. Comput. Model..

[15]  Tomás Cerný,et al.  On security level usage in context-aware role-based access control , 2016, SAC.

[16]  Gregory D. Abowd,et al.  A Conceptual Framework and a Toolkit for Supporting the Rapid Prototyping of Context-Aware Applications , 2001, Hum. Comput. Interact..

[17]  Sylvia L. Osborn,et al.  Current Research and Open Problems in Attribute-Based Access Control , 2017, ACM Comput. Surv..

[18]  Sebastian Rudolph,et al.  Foundations of Semantic Web Technologies , 2009 .

[19]  Antonio Corradi,et al.  Context-based access control management in ubiquitous environments , 2004, Third IEEE International Symposium on Network Computing and Applications, 2004. (NCA 2004). Proceedings..