Databases Reference
In-Depth Information
3 Authorization Model in a Mobile Environment
Specification of a security or privacy policy can be expressed as an autho-
rization,
α
=
[3][4][5].
se
, the subject expression specifies a set of
auth-subjects such that they are associated with (1) a set of spatiotemporal
and/or other traditional attributes, (2) a set of auth-subject identifiers, or (3)
a combination of both.
se
, the object expression is used to specify a set of
auth-objects such that they (1) are associated with a set of spatiotemporal
and/or other types of attributes, (2) a set of auth-object identifiers, or (3) a
combination of both.
p
, the privilege specifies the set of allowed actions by
the auth-subjects specified by
se
on the auth-objects specified by
ge
. The sup-
ported privileges are not only traditional
read
,
write
,and
execute
privileges,
but also include
view
that allows an auth-subject to access a mobile resource(s)
within a spatiotemporal region,
locate
that allows auth-subjects to read the
location information of mobile resources in the authorized spatiotemporal re-
gion,
track
that allows auth-subjects to read the trajectory information of
mobile resources in the authorized spatiotemporal region, and
Compose
that
allows auth-subjects to write information on the auth-objects. Finally,
τ
,the
temporal expression is used to denote the basic temporal element in an ex-
pression. For example,
τ
can be a time point (e.g., Apr9:2007:17:12:39), a
time interval (e.g., [Apr9:2007:17:12:39, Apr9:2007:19:12:39]), or a set of time
intervals.
In a mobile environment, an authorization would be associated with spa-
tiotemporal extents. In other words, for a given authorization
α
,
α.se
or
α.ge
would involve the spatiotemporal specifications for specifying auth-subjects or
auth-objects respectively. There exist three different request scenarios based
on the mobility of requesters and resources, and the corresponding authoriza-
tions in order to protect the resources.
•
se, ge, p, τ
Mobile Requesters upon Static Resources (MSR):
(e.g, an employee (mobile
requester) tries to use the printer in the oce (static resource).) In this
scenario, the access control decision for the requester is dependent on the
current location of the requester. To protect static resources from mobile
requesters, a
Moving Auth-Subject upon Static Auth-Object Authorization
(
α
MS
) can be specified. Here,
α.se
is associated with the spatiotemporal
extent. Examples of such security policies are as follows.
Policy 1: Any employee can send a print job if she is currently located at
the oce during the oce hours.
Policy 2: A human resource employee is allowed to access performance
records of employees only during oce hours and while he is physically in
his oce.
•
Static Requesters upon Mobile Resources (SMR):
(e.g., a merchant (static
requester) tries to send promotion deals to near-by mobile customers (mo-
bile resources).) In this scenario, the location of mobile resources such as
mobile customers plays an important role for evaluating the access con-
trol decision for the static requesters. Generally, mobile users have their
