Information Technology Reference
In-Depth Information
It is important to confirm that this formulation accurately captures all of
the important properties of inheritance: reflexivity, transitivity, and the subset
relationships between related roles' authorized users and authorized permissions.
That is, we must ensure that the logical rules (and thus the logic's semantics)
validate the following properties:
-
For all roles
R
,
ap
(
R
)
R
.
This rule is an instance of the
R
-reflexivity rule (
Ref) from Figure 4.
-
For all roles
R
1
,R
2
,R
3
,
(
R
1
ap
(
R
2
)
R
2
∧
R
2
ap
(
R
3
)
R
3
)
⊃
R
1
ap
(
R
3
)
R
3
.
Recall that, whenever
R
2
R
3
,
authorized permissions
(
R
3
) is a subset of
authorized permissions
(
R
2
), and thus
ap
(
R
3
)
⊆
ap
(
R
2
). Therefore,
ap
(
R
3
)=
ap
(
R
3
)
∩
ap
(
R
2
), and the desired rule is simply an instance of the
-
Trans) from Figure 4.
-
For all roles
R
1
and
R
2
,users
U
, and role authorities
RA
,
transitivity rule (
U
serves
RA
(
U
serves
RA
(
R
1
ap
(
R
2
)
R
2
∧
ap
(
R
1
)
R
1
)
⊃
ap
(
R
2
)
R
2
)
.
That is, if
U
is an authorized user of
R
1
and
R
1
inherits
R
2
,then
U
is
also an authorized user of
R
2
. Once again, we rely on the relationship
ap
(
R
2
)
ap
(
R
1
) to see that the desired rule is simply an instance of the
role-subsumption (Role Sub) rule from Figure 4.
⊆
4.4
Reasoning About Access-Control Decisions
To demonstrate the use of the logic in reasoning about access-control decisions,
we return to the example from Section 2. We temporarily ignore the separation-
of-duty constraints, and focus on the access-control aspects of the example.
Recall that the permission
read student grade reports
is associated with the
role
Fac
:weuse
rsg
as the primitive proposition corresponding to this per-
mission. For simplicity, we also assume the permission
rant
(proposition
rt
)is
assigned to the
Ten
role; there are no other explicit permission assignments.
Thus, the role hierarchy shown in Figure 1 can be described as follows:
(
CS Fac
{rsg}
Fac
)
∧
(
CE Fac
{rsg}
Fac
)
∧
(
UnTen
{rsg}
Fac
)
∧
(
Ten
{rsg}
Fac
)
∧
(
Chair
{rsg,rt}
Ten
)
∧
(
P&T VM
{rsg,rt}
Ten
)
.
Recall that
Alice
is explicitly assigned to the role
Chair
. This fact can be
represented in the logic by the statement
Alice
serves
RA
{rsg,rt}
Chair
. This state-
ment, along with the description of the role hierarchy above, provide the basis for
reasoning about whether
Alice
should be allowed to read student grade reports.
More specifically, we interpret
Alice
's attempt to read student grade reports
as a statement
Alice
Fac
says
rsg
. Ultimately, the reference monitor must be
able to deduce that (
Alice
for
RA
Fac
)
says
rsg
, in which case the request will be
granted.
|