Information Technology Reference
In-Depth Information
•
the Proof of Necessary Condition
For any
ξ
=
subj
,
11
obje
,
ξ
=
obje
,
subj
, if there is conflict between
ξ
2
2
1
2
and
.
Such there are no
ξ
2
that:
x
∈
SUBJECT
(
)
m
(
)
n
x subj
,
∈
ξ
∧
x subj
,
∈
ξ
;
m n
,
≥
0;
m n
,
∈
N
;
1
INHERIT
2
INHERIT
There are no interacting subjects between
subj
and
subj
, so two rules are not
1
2
conflicting.
Similarly, such there are no
y
∈
OBJECT
that:
j
k
(
)
(
)
obje
,
y
∈
ξ
∧
obje
,
y
∈
ξ
;
j k
,
≥
0;
j k
,
∈
N
;
1
CONTAIN
2
CONTAIN
Two rules are not conflicting.
Therefore, if two rules conflicted, the two conditions should be satisfied at the same
time.
The necessary condition is proved.
Conflict-Related Rules.
Definition 8 conflict-related rules
is rules that cause conflict in access control policy,
written as
Φ
. Conflict-related Rules is a set of rules:
related
{
}
(7)
CONFLICTRULES
=
rule rule
,
,......,
rule
|
rule
∈
POLICY,1
< <
i n
12
ni
The rules of conflict-related rules satisfy the two conditions as follows:
(1) There is conflict in
CONFLICTRULES
;
(2)There would be no conflict, if one rule from
CONFLICTRULES
were erased.
From Theorem 1, we conclude that the rules cause conflict situation include three
kinds of rules:
Definition 9.
The two rules that have opposite actions,
ξ
=
subj
,
11
obje
,
1
ξ
=
obje
,
subj
, we denote as
rules have opposite actions, written as
Φ
.
2
2
2
opposite
Definition 10.
The rules that can deduce subjects between rules having opposite
actions
ξ
and
ξ
have inheritance relationship, we denote as
Subject overlap rules,
2
written as
Φ
.
subjects
Definition 11.
The rules that can deduce objects between rules having opposite actions
ξ
and
ξ
have contain relationship, we denote as
Object overlap rules, written as
2
Φ
.
objects