Towards More Controllable and Practical Delegation - Computer Network Security

Information Technology Reference

In-Depth Information

Table 1. Core Syntax of REAL05

〈user-defined-predicate〉

(2) Predicate 〈p〉 ::= 〈entity〉.〈pn〉(〈list of v〉)

(3) Rule 〈rule〉 ::= 〈p〉. | 〈p〉 ← 〈c〉. | 〈p〉 ← 〈list of p〉. | 〈p〉 ← 〈list of p〉, 〈c〉.

(4) Query 〈Query〉 ::= ? ← 〈p〉.

(5) Permission 〈pm〉 ::= pm(〈name〉, 〈list of var〉)

(6) Role 〈role〉 ::= dR(〈rv〉) | aR(〈rv〉) | sR(〈rv〉)

(7) Role Variable 〈rv〉 ::= 〈entity〉, 〈name〉

(9) List (macro) 〈list of X〉 ::= 〈X〉 | 〈list of X〉, 〈list of X〉

(10) Delegation Constraint 〈dc〉 ::= sc(〈scope〉, 〈depth〉, 〈scope〉) | ∅ | *

(11) Trust Scope 〈scope〉 ::= 〈role〉 | 〈scope〉 ∩ 〈scope〉 | {list of 〈entity〉} | {} | *

(12) Delegation Depth 〈depth〉 ::= 〈natural-number〉 | 0 | *

(14) Constraint 〈c〉 ::= 〈e〉 = 〈e〉 | 〈e〉 ≠ 〈e〉 | 〈e〉 ≤ 〈e〉 | 〈e〉 ≥ 〈e〉 | 〈e〉

〈e〉 | 〈c〉, 〈c〉

(15) Expression 〈e〉 ::= 〈constant〉 | 〈var〉 | 〈dc〉 | f(〈list of var〉) | 〈e〉 - 〈e〉 | 〈e〉 + 〈e〉 | 〈e〉 ∪ 〈e〉

⊃

〈e〉 | 〈e〉

⊆

y dR is a distributed role, e.g. dR (org, member) represents all the members in org.

In the rest of this paper, roles denote distributed roles by default.

y aR is an administrative role, representing the authority defined in section 2.2,

e.g. aR (org, member) is the administrative role for dR(org, member). Given a

role dr, its administrative role is denoted as aR (dr).

y sR is a session role, representing the capability defined in section 2.2, e.g.

sR(org, sid012) is the capability holding by the session identified by session ID

“sid012”. A user has to log on the server successfully before he can get a session

role.

Delegation Constraint . The delegation constraint (10) is a logical term and defines

the spacial constraint in section 2.3. Spacial constraint acts as parameters in predicates

when specifying policies. 〈scope〉 and 〈depth〉 can be “*”, which means no constraint.

〈dc〉 can be

∅

, which is equivalent to the constant sc ({}, 0, *).

Constraint . The constraints (14) are composed of constraint expressions (15) and

constraint predicates. The type of constants and variables in (15) can be integer, float,

entity and set of entities. Constraint expression can also be delegation constraints and

return values of functions. Constraint predicates include “=”, “≠”, “≤”, “≥”, “

⊆

” and

“

⊃

”, where “

⊆

” and “

⊃

” are binary predicates on entity sets and 〈dc〉 respectively.

Predicates . The predicates (2) are the policy items used to express authorization and

delegation policies. REAL05 has six reserved predicates:

y x.canRequest(y, pm) means that x allows entity y to access the resources con-

trolled by permission pm.

y x.canHold(dr, pm) means that x assigns role dr with permission pm.

y x.canActivate(y, dr) means that x allows entity y to activate the role dr, and y

will be assigned with all the permissions hold by dr.

y x.hasActivated(y, dr) means that entity y has logged on x and activated the role

dr successfully.

Computer Network Security

Search WWH ::

Custom Search

Home