A Conflict-Related Rules Detection Tool for Access Control Policy - Frontiers in Internet Technologies

Information Technology Reference

In-Depth Information

characters affected by policy. Semantics of object expression is resources protected by

policy. The formal representation of set is as follows:

{

}

(

)



SUBJECT

=

sub

|U

sub

;

 

(2)

{

}

(

)

OBJECT

=

source

|R

source

;

 

Where, SUBJECT is the set, representing the set of semantics for subject expres-

sion sub

(

)

−

state

;

U sub

is the predicate, representing sub is a user or character;

(

)

R source is the predicate, representing source is the resource protected by policy.

Definition 3

Semantics of Statements Comprised of “Subject Expression” and

“Subject Expression”: Rules of this type are inheritance relationship in essence, so

rule semantics are expressed by using the relationship between semantics of subject

expression. The representation is as follows:

(3)

ξ

∈

SUBJECT SUBJECT;

×

inherit

Where,

represents the semantics of rule on subject. The definition of

SUBJECT is as formula (2).

ξ

inherit

Definition 4

Semantics of Statements Comprised of “Object Expression” and

“Object Expression”: its semantics represents inclusion relation between objects

(namely, protected resources), which is expressed as:

(4)

ξ

contain ∈

OBJECT OBJECT;

×

Where, contai ξ represents the semantics of object relation rule. The definition of

OBJECT is as formula (2).

Definition 5 Semantics of Statements Comprised of “Object Expression”, “Ob-

ject Expression”, “Action Expression” and “Permission Expression”:

Semantics of subject expression is subject (a user or a character); Semantics of ob-

ject expression is object (protected resources); Semantics of action expression enable

actions that subject can do to object (namely, operations like read, write, etc.), and it has

different extensions according to different systems. Semantics of permission expres-

sion is “permit” and “deny”. Therefore, semantics of this kind of rule is the actions

taken by subject on object to “permit” or “deny” some kind of operation. So this kind of

operation can be expressed as the relationship. The direction of the relationship

represents “permit” or “deny”. The “permit” is expressed as a directed two-tuple of

“from subject to object” and the “deny” is expressed as a directed two-tuple of “from

object to subject”. Various “actions” are usually declared in access control. Each action

and its “permission” will be represented by a directed relationship. There are k kinds of

actions. Its formal representation is as follows:

(5)

ξ

⊆

SUBJECT OBJECT

×

∪

OBJECT SUBJECT;

×

k

=

1,2,......., ;

n n

∈

N

;

ACTION

k

Frontiers in Internet Technologies

Search WWH ::

Custom Search

Home