Information Technology Reference
In-Depth Information
shorthand for 'and'). Each
A
i
literal (
i
∈{
1
, .., m
}
)isa
positive literal
; each
not B
j
)isa
negative literal
where negation is
negation as
failure (NAF)
[11]. A clause with an empty body is an
assertion
or a
fact
.A
clause that is variable-free is a
ground clause
. A clause that is negation-free is a
definite clause
. A set of clauses is a
program
.
An
SBAC
program
ψ
, henceforth written
SBAC
(
ψ
), is defined on a domain
of discourse that includes:
literal (
j
∈{
1
, .., n
}
1. A set
U
of
requester agents
;
2. A set
O
of
objects
;
3. A set
P
of
access privileges
;
4. A set
A
of
actions
;
5. A set
L
of
status levels
;
6. A set
E
of
events
;
7. A set
T
of
time points
.
sets, comprise the (disjoint) sets of requester agent
identifiers, object identifiers, access privileges, actions, status levels, and event
identifiers that form part of the universe of discourse for
SBAC
(
ψ
).
The set
The
U
,
O
,
P
,
A
,
L
, and
E
are linearly
ordered and isomorphic to the natural numbers. We will assume that times have a
DAY granularity
1
. We also assume that a time is expressed in
DD/MM/YYYY
format (which may be mapped to a natural number).
More formally, the sets of constant symbols of interest in
SBAC
(
ψ
) are:
T
is a set of discrete time points. The elements of
T
U
U
S∪J
-
A countable set
of
requester agent identifiers
such that
=
where
S
J
{
u
i
:
i
∈
N
|S|}
is a set of character strings that identify agents or
=
-
where
is the set of natural numbers.
N
-
A countable set
O
of
object identifiers
such that
O
=
{
o
i
:
i
∈
N
}
.
2
.
-
A countable set
O
of
access privileges
such that
P
=
{
p
i
:
i
∈
N
}
-
A countable set
of
action identifiers
that may be performed by agents in
an application-specific domain such that
A
A
=
{
a
i
:
i
∈
N
}
.
-
A countable set
L
of
status levels
such that
L
=
{
l
i
:
i
∈
N
}
.
-
A countable set
E
of
event identifiers
such that
E
=
{e
i
:
i ∈
N
}
.
-
A countable set
T
of
time points
such that
T
=
{
t
i
:
i
∈
N
−
1
}∪{
now
}
.
In this framework, the following notions apply.
Definition 2.
If
p
n
is an access privilege (
p
n
∈P
) and
o
k
is an object (
o
k
∈
O
) then a
permission
is a pair
(
p
n
,o
k
)
that denotes that the
p
n
access privilege
is permitted on
o
k
.
Definition 3.
If
p
n
is an access privilege and
o
k
is an object then a
denial
,
d
,
is a pair
(
p
n
,o
k
)
that denotes that
p
n
access is denied on
o
k
.
1
The choice of the time granularity will be an application-specific one.
2
In practice, access privileges will be named by strings like
read
and
write
.