Databases Reference
In-Depth Information
Geo-RBAC Model
The spatially aware role based access control model consists of role schema
and role instance, permissions, users, and sessions.
•
Role Schema and Role Instance: A role schema defines the role name for a
set of spatial roles, the spatial constraints where roles can be enabled, and
specifies logical locations and real position for the users who may assume
the role. A role instance is a role fulfilling the constraints defined in the
role schema. Thus the spatial role is the role name in the schema with a
specific spatial feature. The spatial role is represented with
where
r
is a role name,
ext
is feature type of the role extent,
loc
a feature
of logical position and
m
the mapping function relating real positions to
logical positions.
An example of a role schema
r, ext, loc, m
,
represents a surveyor in a position on a road network. Given a role schema,
a role instance is created when the role extent is assigned with a particular
feature. For instance, a role instance could be a surveyor on a road in
Newark.
Surveyor, RoadNetwork, PointonRoad, m
•
Permissions: These are operations performed on spatial objects, such as
get tra
c information
over Urban-Road-Network features,
notify
over ac-
cident features, or
find
operation over Monument features. Given a set
of operations and a set of objects, permissions are represented as a pair
operation, object
.
Geo-RBAC Access Control
The access control is specified as a set of assignment relations between per-
missions to spatial roles, between users and spatial roles:
•
User-to-Spatial Role Assignment: This mapping relationship assigns a set
of users to spatial role instances. Inverse relationship (i.e. Spatial role-to-
User assignment) maps spatial role instances to sets of users.
•
Permission to Spatial role assignments: The mappings can be specified
between the permission to spatial role schema and between spatial role
instances to permissions.
Access Request Evaluation
An access request is represented as a tuple
where the user of session
s
located at a real position
rp
wants to perform operation
p
on object
o
.
When permission (p, o) belongs to permission assignment specifications to
the enabled role at the user's real position, the access request is granted.
This access control evaluation occurs in the following fashion: When a
user starts a new session, a number of roles should be enabled to be included
in the session role set. But in order to enable these session roles, the user's
s,rp,p,o
