Information Technology Reference
In-Depth Information
obligations are still hot problems in this area. One may reify GCDM to enforce the
delegation policies for these paradigms. We will test these ideas in the future.
2.3 Spacial Constraint on Delegation
To restrict the privilege propagation in a delegation tree, the delegator can specify
constraints from following aspects: (1) the scope of mediate delegatees in delegation
tree; (2) the scope of delegation targets in delegation tree; (3) the valid time interval
of all the delegation chains in the tree. The first two aspects care about the propaga-
tion scope of current delegation and called
spacial constraints
. The third aspect is
called
temporal constraint
. This paper uses spacial constraints to enforce control on
delegation.
Definition 5 (Spacial Constraint).
The spacial constraint
is a structure SC(
ds
,
dd
,
ts
),
where SC is the type of the structure, and also denotes the set of all spacial con-
straints,
ds
E are attributes of the structure, and denotes the scope
of mediate delegatees, upper-bound of delegation depth and the scope of delegation
targets respectively.
ds
and
ts
are also called
trust scope
in our previous work [18].
Here the delegation depth is mainly used to avoid infinite delegation loops. The
spacial constraint defines a kind of unitary control on delegation, as shown in fig.3-II.
⊆
E,
dd
≥
0 and
ts
⊆
dr
dr
de
de
ds
1
ds
dd=1
de'
de'
…
…
de'
de'
dd
ds
2
ds
3
de'
de'
dd=1
de'
de'
de'
de'
de'
de'
.
...
..
dt
dt
dt
dt
dt
dt
ts
ts
I. step-by-step control II. unitary control
Fig. 3.
Two Typical Delegation Control Model
The constraint structure defined in section 2.1 can be reified as (DP, SC,
⊃
, ⇒).
and ⇒:
Here we can give more precise definition of the semantics for the relation
⊃
⊃
: Given sc
1
, sc
2
∈
SC, then sc
1
⊃
sc
2
iff
(sc
1
.ds
⊆
sc
2
.ds)
∧
(sc
1
.dd
≤
sc
2
.dd)
∧
(sc
1
.ts
sc
2
.ts).
⇒: Given dp=[dr→de
[0..n]
→dt]
p
⊆
∈
DP, sc
∈
SC, then dp⇒sc
iff
(de
i
∈
sc.ds)
∧
(n
≤
sc.dd)
∧
(dt
∈
sc.ts), where sc is specified by dr and i=1…n.
