PBAC: Provision-based access control model

Abstract.Over the years a wide variety of access control models and policies have been proposed, and almost all the models have assumed “grant the access request or deny it.” They do not provide any mechanism that enables us to bind authorization rules with required operations such as logging and encryption. We propose the notion of a “provisional action” that tells the user that his request will be authorized provided he (and/or the system) takes certain actions. The major advantage of our approach is that arbitrary actions such as cryptographic operations can all coexist in the access control policy rules. We define a fundamental authorization mechanism and then formalize a provision-based access control model. We also present algorithms and describe their algorithmic complexity. Finally, we illustrate how provisional access control policy rules can be specified effectively in practical usage scenarios.

[1]  Sushil Jajodia,et al.  A logical language for expressing authorizations , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[2]  Jeffrey I. Schiller,et al.  An Authentication Service for Open Network Systems. In , 1998 .

[3]  Michiharu Kudo,et al.  XML document security based on provisional authorization , 2000, CCS.

[4]  Silvana Castano,et al.  Database Security , 1997, IFIP Advances in Information and Communication Technology.

[5]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[6]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[7]  Carl A. Gunter,et al.  Models and languages for digital rights , 2001, Proceedings of the 34th Annual Hawaii International Conference on System Sciences.

[8]  Mark J. Stefik The Internet Edge: Social, Technical, and Legal Challenges for a Networked World , 1999 .

[9]  Sushil Jajodia,et al.  Provisional Authorizations , 2001, E-Commerce Security and Privacy.

[10]  Elisa Bertino,et al.  A unified framework for enforcing multiple access control policies , 1997, SIGMOD '97.

[11]  Simon S. Lam,et al.  A framework for distributed authorization , 1993, Conference on Computer and Communications Security.

[12]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[13]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[14]  David F. Ferraiolo,et al.  On the formal definition of separation-of-duty policies and their composition , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[15]  M. Kudo Access Control Model with Provisional Actions , 2001 .