Information Technology Reference
In-Depth Information
service to participate in any session with Bob if originated by Alice (BO rule is trig-
gered, action is
session recording
and C
SID
is Alice's address), then yet another invita-
tion is sent to a voice recorder to join the session between Alice and Bob (A
SID
is Al-
ice's and Bob's voice media addresses). We think that Bob might be concerned about
possible recordings of his sessions, thus let's assume that he also established at voice
recorder a call-processing rule that must notify him on any recording of a media
stream originated at his address (BN rule is triggered, action is
notify on recording
,
C
SID
is Bob's voice media address). Thus, when voice session with Alice starts Bob
receives a notification of recording, for example on his instant messenger (A
SID
is
Bob's notification address).
Self-similarity of Rule Bases.
The rule-based system implementation in accordance
with our model (Fig.1) will have in general thee bases of rules (rule-sets): event au-
thorisation rules, behaviour rules, and notification rules. Without loss of generality we
assume that all three bases are installed over the same range of SID values denoted
rg(R
0
)
. All three rule-bases are then self-similar in a sense that there can be
no de-
pendencies
between rule bases with regard to access rights for the same SID in differ-
ent rule bases. For example, EA rules may deny events within certain sub-ranges of
rg(R
0
)
, however admitted events sourced by allowed SIDs may carry denied SID val-
ues in their payloads. Thus, event authorisation rules may shrink the
R
0
, but it is
ex-
panded
again for behaviour and notification rules.
Installed Rules.
It is important to stress that installed rule set in our approach differs
from original rules i.e. from default
R
0
and from rules injected later. A rule set is ini-
tialised with a default policy
R
0
—a rule that applies to the whole range
rg(R
0
)
starting
with
SID
0
and ending at
SID
N
. Any newly injected rule
R
i
with
rg(R
i
)=[SID
i0
, SID
iN
]
and with
mod(R
1
)
≠
mod(R
0
) is in conflict with
R
0
. In our model positive and negative
modalities are equally strong (see discussion in section 4), thus a conflict should be
resolved based on additional information. If conflict resolution results in
mod(R
1
)
>
mod(R
0
) (modality of
R
1
is
stronger
than that of
R
0
) then this produces in the
rg(R
0
)
two, if
SID
0
= SID
i0
or
SID
N
= SID
iN
, or three, otherwise
intervals
with modalities
either inherited from a default policy or from a new rule. Modalities together with
these intervals are called
installed
rules and are denoted
I
i
. Obviously modalities of
any two neighbouring intervals in installed rule set always differ.
Conflict Resolution Rules.
In the following text we concentrate on a single rule base
cluster. Cluster contains installed rules of a single type (2-1) through (5-2), each rule
instance may have one of the two modalities — positive or negative. A rule instance
is defined for a SID range, thus a rule
instance
within a cluster can be unambiguously
specified by its modality
mod(I
i
)
and its range
rg(I
i
)
. Injecting a new rule in a rule-set
may cause conflicts with installed rule-set.
We distinguish the following five relations of a new rule (
R
i
) range and any in-
stalled rule (
I
j
) range (see also Fig.2.a):
1. Disjoint ranges: there is not a single SID value from
rg(R
i
)
that also belongs to
rg(I
j
)
; relation
rg(R
i
)
||
rg(I
j
)
is symmetric and non-transitive;
2. Nested ranges: all SID values from
rg(R
i
)
are within
rg(I
j
)
; relation
rg(R
i
)
<
rg(I
j
)
is
asymmetric and transitive;
3. Inverted nested ranges: all SID values from
rg(I
j
)
are within
rg(R
i
)
; relation
rg(R
i
)
>
rg(I
j
)
is asymmetric and transitive;