Databases Reference
In-Depth Information
A different approach has been illustrated in [36], where the authors propose
an algebra for combining security policies together with its formal semantics.
Here, a policy, denoted
P
i
, is defined as a set of triples of the form (
s,o,a
),
where
s
is a constant in (or a variable over) the set of subjects
S
,
o
is a constant
in (or a variable over) the set of objects
O
,and
a
is a constant in (or a variable
over) the set of actions
A
. Policies of this form are composed through a set of
algebra operators
whose syntax is represented by the following BNF:
E
∧
C
E
::=
id
|
E
+
E
|
E
&
E
|
E
−
E
|
|
o
(
E,E,E
)
|
E
∗
R
|
T
(
E
)
|
(
E
)
T
::=
τ
id
.
E
where
id
is a unique policy identifier,
E
is a policy expression,
T
is a construct,
called
template
,
C
is a construct describing constraints, and
R
is a construct
describing rules. The order of evaluation of algebra operators is determined
by the precedence, which is (from higher to lower)
τ
, ., + and & and -, * and
∧
.
The semantic of algebra operators is defined by a function that maps
policy expressions in a set of ground authorizations (i.e., a set of authorization
triples). The function that maps policy identifiers into sets of triples is called
environment
, and is formally defined as follows.
Definition 1.
An
environment
e is a partial mapping from policy identifiers
to sets of authorization triples. By e
[
X/S
]
we denote a modification of envi-
ronment e such that
e
[
X/S
](
Y
)=
S if Y
=
X
e
(
Y
)
otherwise
The semantic of an identifier
X
in the environment
e
is denoted by [[
X
]]
e
=
e
(
X
).
The operators defined by the algebra for policy composition basically re-
flect the features supported by classical policy definition systems. As an ex-
ample, it is possible to manage exceptions (such as negative authorizations),
propagation of authorizations, an so on. The set of operators together with
their semantic is briefly described in the following.
•
Addition
(+). It merges two policies by returning their union.
[[
P
2
]]
e
Intuitively, additions can be applied in any situation where accesses can be
authorized if allowed by any of the component policies (maximum privilege
principle).
[[
P
1
+
P
2
]]
e
= [
P
1
]]
e
∪
•
Conjunction
(&). It merges two policies by returning their intersection.
[[
P
2
]]
e
This operator enforces the minimum privilege principle.
[[
P
1
&
P
2
]]
e
= [
P
1
]]
e
∩
