Information Technology Reference
In-Depth Information
Distributed Access Control:
A Logic-Based Approach
Steve Barker
Dept. Computer Science, King's College, London, WC2R 2LS, UK
Abstract. We introduce the status-based access control model, and we
describe status-based access control policies and programs. Some tech-
nical results are presented, and we describe a practical implementation
of an autonomous agent that is used for evaluating access request with
respect to a formulation of an SBAC policy.
1
Introduction
The dissemination of information across large-scale networks of computers is
increasingly prevalent. As such, there is a need to develop approaches for con-
trolling access to resources in distributed systems. Thus far, there has been an
emphasis on the issues of identification, authentication and encryption in the
context of network system security. However, in this paper we consider the issue
of access control for authenticated users of a network system.
In recent years, informal specifications [1] and formal specifications [2] of role-
based access control (RBAC) models have been described in the literature. In
these works, some entirely reasonable assumptions are made about the context
in which RBAC policies for defining the protection of centralized information
systems are specified, and are the basis for practical policies for protecting the
information contained in centralized systems, to wit: a (human) access policy
administrator (APA) has complete information about the individuals to be as-
signed to the roles that are performed by personnel in an organization, and
complete information about the access privileges to be exercised on the objects
contained in the system. Moreover, the APAs will revise a formulation of an
RBAC policy to take into account changes to role and permission assignments
(as necessary) to satisfy requirements that are usually determined and imple-
mented on an organization-wide basis. These changes do not usually need to
be performed in real-time and the policy specifications are relatively static (i.e.,
user-role, permission-role and role-role relationships often persist for long periods
of time).
The assumptions that are applicable in the case of protecting centralized
systems do not necessarily apply to network systems. For example, in a network
system a user's access privileges on data objects may need to be modified in a
highly dynamic and autonomous manner, and without an authority, that decides
to permit/deny access, necessarily having complete information about the user.
In this paper, we define a variation of RBAC for use in a distributed envi-
ronment. In the model that we describe, access control is defined in terms of
 
Search WWH ::




Custom Search