Usage Control: A Vision for Next Generation Access Control - Computer Network Security

Information Technology Reference

In-Depth Information

A capability-based formulation of discretionary access control can be simi-

larly given. For role-based access control, user-role and permission-role assign-

ments can be expressed as subject and object attributes respectively. With mu-

table attributes we have the following two models 2 .

Definition 2. The UCON preA 1 , and UCON preA 3

models are identical to

UCON preA 0

except they respectively add the following update processes:

- UCON preA 1

adds preUpdate ( AT T ( s )) , preUpdate ( AT T ( o ))

- UCON preA 3

adds postUpdate ( AT T ( s )) , postUpdate ( AT T ( o ))

Note that both subject and object attributes can be updated. A Digital

Rights Management (DRM) example of preUpdate is payment-based access. The

allowed predicate tests whether the subject s has sucient credit ( s ) to access

an object o with price ( o ). The preUpdate procedure then decrements credit ( s )

by the amount price ( o ). A DRM example of postUpdate arises when the price of

access depends upon the usage time, i.e., we have metered access. The account

balance of the subject needs to be incremented by the rate multiplied by time

of use, after access is terminated.

UCON onA - Ongoing-authorizations Models

We begin by formalizing UCON onA 0

where no update procedures are included.

Definition 3. The UCON onA 0

model has the following components:

- S, O, R, AT T ( S ) ,ATT ( O ) and a usage decision function on

- allowed ( s, o, r )

true ;

- stopped ( s, o, r ) ⇐¬onA ( AT T ( s ) ,ATT ( o ) ,r ).

⇒

. In absence of

pre-authorization, the requested access is always allowed. However, ongoing-

authorization is active throughout the usage of the requested right, and the on

UCON onA 0

introduces the on

predicate instead of pre

predicate is repeatedly checked for sustaining access. Technically, these checks

are performed periodically based on time or event. The ABC model does not

specify exactly how this should be done. In case certain attributes are changed

and requirements are no longer satisfied, ' stopped ' procedure is performed. We

write ' stopped ( s, o, r )' to indicate that right r of subject s to object o is revoked

and the ongoing access terminated.

For example, suppose only 10 users can access an object o 1 simultaneously.

If a 11th user requests access, the user with the earliest time is terminated. In

2 It is important to note that the update operations may be nondeterministic. For

example, payment for permitting access may be applicable from multiple accounts

held by the subject. Which account is debited is not material in enforcement. The

exact manner in which the nondeterminism is resolved is not specified as part of the

model.

Computer Network Security

Search WWH ::

Custom Search

Home