Databases Reference
In-Depth Information
LBAC Policy Evaluation and Enforcement
A user's access request is represented with
,
where
user id
is the optional identifier of the user who makes the request,
SIM is user's optional SIM card number,
action
is the action that is being
requested, and
object id
is the identifier of the object.
In the first phase, the Access Control Engine evaluates the policy
P
col-
lecting all the rules
A
in
P
that are applicable to the request. The set
A
of
applicable rules contains those rules
r
user id, SIM, action, object id
P
for which
action(r)
corresponds to
the action specified in the access request, and
object id
satisfies the conditions
specified in
obj-expr(r)
.
In order to evaluate the location-based predicates that appear in rules,
the access control engine needs to submit the query to the Location Service
provider for response. The Location Service returns the results in the form
of
∈
. Given the response, the access con-
trol engine determines whether or not the value returned by the Location
Service can be considered valid for the purpose of controlling access. Such an
evaluation depends on parameters timeout and confidence returned by the Lo-
cation Service. For responses with expired timeout, it automatically triggers
the re-evaluation of the predicate regardless of the other parameter values.
For unexpired responses, the engine evaluates the responses with respect to
the confidence value. The evaluation maintains the extended truth table that
maintains the acceptable confidence level for each predicate with minimum
and maximum thresholds. If the confidence level in response is greater than
maximum threshold in the truth table, the returned value is confirmed. If the
confidence level is less than the minimum threshold, then the returned value
is evaluated to false. If the returned confidence level falls between the maxi-
mum and minimum thresholds, the engine submits the re-evaluation query to
the Location Service, since it is not clear if the returned results are reliable
enough. The truth table for each predicate also maintains the maximum retry
for the evaluation. Complex predicate expressions are evaluated with each
predicate evaluation results with logical operations.
Boolean value, confidence, timeout
3.4 Geospatial Web Services Access Control
The geospatial data created by different organizations and individuals be-
ing made available rises the challenges related to sharing and interoperating
the geospatial resources. Towards this end, the efforts on standardization of
metadata [13] have been made, and more recently, the Web services technol-
ogy facilitates an easy access to distributed geospatial data over the Internet.
Web service standards developed by OGC (Open Geospatial Consortium) [22]
allow the Geospatial data interoperability and access via discovery, composi-
tion and invocation of Geospatial Web Services. It provides standards on Web
Feature Service (WFS), Web Map Service (WMS) and Web Coverage Service
