Information Technology Reference
In-Depth Information
A capability-based formulation of discretionary access control can be simi-
larly given. For role-based access control, user-role and permission-role assign-
ments can be expressed as subject and object attributes respectively. With mu-
table attributes we have the following two models
2
.
Definition 2.
The
UCON
preA
1
, and
UCON
preA
3
models are identical to
UCON
preA
0
except they respectively add the following update processes:
-
UCON
preA
1
adds
preUpdate
(
AT T
(
s
))
, preUpdate
(
AT T
(
o
))
-
UCON
preA
3
adds
postUpdate
(
AT T
(
s
))
, postUpdate
(
AT T
(
o
))
Note that both subject and object attributes can be updated. A Digital
Rights Management (DRM) example of
preUpdate
is payment-based access. The
allowed
predicate tests whether the subject
s
has sucient
credit
(
s
) to access
an object
o
with
price
(
o
). The
preUpdate
procedure then decrements
credit
(
s
)
by the amount
price
(
o
). A DRM example of
postUpdate
arises when the price of
access depends upon the usage time, i.e., we have metered access. The account
balance of the subject needs to be incremented by the rate multiplied by time
of use, after access is terminated.
UCON
onA
- Ongoing-authorizations Models
We begin by formalizing
UCON
onA
0
where no update procedures are included.
Definition 3.
The
UCON
onA
0
model has the following components:
-
S, O, R, AT T
(
S
)
,ATT
(
O
) and a usage decision function
on
A
-
allowed
(
s, o, r
)
true
;
-
stopped
(
s, o, r
)
⇐¬onA
(
AT T
(
s
)
,ATT
(
o
)
,r
).
⇒
. In absence of
pre-authorization, the requested access is always allowed. However, ongoing-
authorization is active throughout the usage of the requested right, and the
on
UCON
onA
0
introduces the
on
A
predicate instead of
pre
A
A
predicate is repeatedly checked for sustaining access. Technically, these checks
are performed periodically based on time or event. The ABC model does not
specify exactly how this should be done. In case certain attributes are changed
and requirements are no longer satisfied, '
stopped
' procedure is performed. We
write '
stopped
(
s, o, r
)' to indicate that right
r
of subject
s
to object
o
is revoked
and the ongoing access terminated.
For example, suppose only 10 users can access an object
o
1
simultaneously.
If a 11th user requests access, the user with the earliest time is terminated. In
2
It is important to note that the update operations may be nondeterministic. For
example, payment for permitting access may be applicable from multiple accounts
held by the subject. Which account is debited is not material in enforcement. The
exact manner in which the nondeterminism is resolved is not specified as part of the
model.