Information Technology Reference
In-Depth Information
where
DB
is a conjunction of literals
DB
1
,...,DB
m
such that
DB
i
(
i
=(1
..m
)
)
is a literal with a predicate symbol that is a database predicate, and
EV
is a
conjunction of literals
EV
1
,...,EV
n
such that
EV
j
(
j
=(1
..n
)
) is expressed in
terms of the evaluable predicates.
Definition 16.
For each
ECL
I
(
E,U,l
i
)
clause
C
1
that defines the initiation of
U
's assignment to the status level
l
i
∈L
there is an
ECL
T
(
E,U,l
i
)
clause
C
2
that
defines the termination of
U
's assignment to
l
i
C
2
differ only
in terms of the conjunctions of the evaluable predicates that appear in the bodies
of
such that
C
1
and
C
2
. The pair of clauses defining
ECL
I
(
E,U,l
i
)
and
ECL
T
(
E,U,l
i
)
are called an initiation/termination dual for level
l
i
.
The
ECL
I
(
E,U,l
i
) clause of a dual for
l
i
∈L
C
1
and
defines the initiation of an
agent's assignment to a status level
l
i
, and the
ECL
T
(
E,U,l
i
) clause of the dual
for
l
i
defines the termination of an agent's assignment to a status level
l
i
.
Definition 17.
A permission-level association is expressed in
SBAC
(
ψ
)
by us-
ing a clause of the form
pla
(
P, O, L
)
←
DB
1
,...,DB
m
,EV
1
,...,EV
n
.
A denial-level association is expressed in
SBAC
(
ψ
)
by using a
clause of the form
Definition 18.
dla
(
P, O, L
)
←
DB
1
,...,DB
m
,EV
1
,...,EV
n
.
Definition 19.
are defined by a set
of clauses in
SBAC
(
ψ
)
with the head
authorized
(
U, P, O
)
. This set of clauses
is called the authorizations clauses for
SBAC
(
ψ
)
.
The set of authorization triples
u
i
,p
j
,o
k
4
SBAC
Policy Formulation
In this section, we present an example
SBAC
policy
Π
1
, a closed access policy.
Definition 20.
The authorizations clause for
Π
1
is as follows:
authorized
(
U, P, O
)
←
sla
(
U, L
1)
, subsumes
L
(
L
1
,L
2)
,pla
(
P
1
,O
1
,L
2)
.
Example 2.
Consider an e-banking system where a requester agent's status de-
pends on the agent's payment and withdrawal history, and the current state
of the requester agent's account. There are two upgrading actions
joining
and
depositing
, and two downgrading actions
leaving
and
withdrawing
. On join-
ing as a customer of the bank, a requester agent is assigned to the lowest
status level; on leaving the bank as a customer, the user is terminated from
the lowest status level - equivalent to the user having no status level. Sup-
pose also that there are three status levels supported,
l
1
,
l
2
, and
l
3
, and that
WFM
(
SBAC
(
ψ
))
|
=
ds
L
(
l
1
,l
2
) and
WFM
(
SBAC
(
ψ
))
|
=
ds
L
(
l
2
,l
3
). There are
two types of requester agents: ordinary agents and Goldcard agents.