Information Technology Reference
In-Depth Information
Security administrator configures following access control rules: r
0: server inherit
marketer;
r
1: permit marketer read user-information;
r
2: permit marketer delete con-
tact-information;
r
3 deny server read privacy-information;
r
4 user-information contain con-
tact-information;
r
5 user-information contain privacy-information.
Rule 1 and rule 3 have semantic conflict: rule 1 indicates that server inherits the
authority of marketer and has the permission to access user-information which includes
privacy-information; while rule 3 forbids server to access privacy-information.
Security administrator expects to understand not only rule 1 and rule 3 which have
opposite actions, but also all rules related to the situation of “conflict”. Rule 0 and rule
5 from the example above are also the causes of “conflict” and conflict cannot happen
without these rules. We name these rules, which can cause conflict indirectly, as
“Conflict-related Rules”.
The contributions of this paper are:
1) We abstract all the rules in the conflict situation, not only the two rules that have
contrary actions, as the concept of the “conflict-related rules”, and we deduce this
concept's extension.
2) Based on description logic, we implement the conflict detection tool based to
detect the “conflict-related rules”.
This paper is organized as follows: Section 2 describes the related work and discus-
sion. Based on the semantic formal representation of access control policy, we give the
necessary and sufficient condition of “conflict” and deduce the extension of “con-
flict-related rules”, which makes the range of “conflict-related rules” explicit in section 3.
Based on description logic, section 4 Figure and Table shows the implement of the con-
flict-related rules detection tool. Experiments in section 5 validate the correctness and
effectiveness of the tool and Section 6 presents the conclusion.
2
Related Work
There are several researches on conflict detection of AC policy at present. Lupu and
Sloman proposed a conflict detection tool focusing on authorization policy and obli-
gation policy [3], they suggested that the rule of conflict is two rules which have op-
posite actions. He lili presented a conflict detection tool which is based upon OWL and
RBAC negative authorization [4], which just concerns rules have opposite actions.
Jianfeng Lu etc. studied two kinds of conflict of access control policy in the mul-
ti-domain environment [5]. Chang-Joo Moon did research on conflict among permis-
sion assignment constraints (PAC) in RBAC [6]. Basit Shafiq studied conflict between
RBAC policies of each domain in multi-domain environment for collaborative work of
multiple organizations [7]. Feng Huang etc. presented a description logic based conflict
detection tool for access control policy. After the management of XACML access
control policy, reference [8,9] converts the detection problem of XACML policy con-
flict into the consistency of knowledge base for description logic. Apurva Mohan etc.
proposed a terminology based conflict detection method of authorization policy, which
uses ontology reasoning to detect the conflict, and the detected “conflict” is defined by
