Abstract
Access control models, such as the ones supported by commercial DBMSs, are not yet able to fully meet many application needs. An important requirement derives from the temporal dimension that permissions have in many real-world situations. Permissions are often limited in time or may hold only for specific periods of time. In this article, we present an access control model in which periodic temporal intervals are associated with authorizations. An authorization is automatically granted in the specified intervals and revoked when such intervals expire. Deductive temporal rules with periodicity and order constraints are provided to derive new authorizations based on the presence or absence of other authorizations in specific periods of time. We provide a solution to the problem of ensuring the uniqueness of the global set of valid authorizations derivable at each instant, and we propose an algorithm to compute this set. Moreover, we address issues related to the efficiency of access control by adopting a materialization approach. The resulting model provides a high degree of flexibility and supports the specification of several protection requirements that cannot be expressed in traditional access control models.
- ABADI, M., BURROWS, M., LAMPSON, B., AND PLOTKIN, G. 1993. A calculus for access control in distributed systems. ACM Trans. Program. Lang. Syst. 15, 4 (Sept.), 706-734. Google Scholar
- BERTINO, E., BETTINI, C., FERRARI, E., AND SAMARATI, P. 1996a. A temporal access control mechanism for database systems. IEEE Trans. Knowl. Data Eng. 8, 1 (Feb.), 67-80. Google Scholar
- BERTINO, E., BETTINI, C., FERRARI, E., AND SAMARATI, P. 1996b. Supporting periodic authorizations and temporal reasoning in database access control. In 22nd International Conference on Very Large Databases (VLDB'96) Proceedings (Mumbay, India, Sept. 3-6), 472-483. Google Scholar
- BERTINO, E., BETTINI, C., FERRARI, E., AND SAMARATI, P. 1996c. On using materialization strategies for a temporal authorization model. In Post-SIGMOD Workshop on Materialized Views: Techniques and Applications Proceedings (Montreal, Que., June 6), 34-81.Google Scholar
- BERTINO, E., BETTINI, C., FERRARI, E., AND SAMARATI, P. 1997. Decentralized administration for a temporal access control model. Inf. Syst. 22, 4, 223-248. Google Scholar
- BERTINO, E., SAMARATI, P., AND JAJODIA, S. 1993. Authorizations in relational database management systems. In First ACM Conference on Computer and Communications Security Proceedings (Fairfax, VA, Nov. 3-5). ACM, New York, 130-139. Google Scholar
- DATE, C. 1995. An Introduction to Database Systems, 6th edition. Addison-Wesley, Reading, MA. Google Scholar
- FALASCHI, M., LEVI, G., MARTELLI, M., AND PALAMIDESSI, C. 1988. A new declarative semantics for logic languages. In Fifth International Conference and Symposium on Logic Programming Proceedings (Seattle, WA, Aug. 15-19), 993-1005.Google Scholar
- FERRARI, E. 1998. Access control mechanisms for database systems: Formal models and architectural aspects. Ph.D. Thesis, Dipartimento di Scienze dell'Informazione, Universita` di Milano.Google Scholar
- FOUNDATION, O. S. 1993. OSF/Motif Programmer's Guide. Prentice-Hall, Englewood Cliffs, NJ.Google Scholar
- GELDER,A.V.,ROSS, K., AND SCHLIPF, J. S. 1991. The well-founded semantics for general logic programs. J. ACM 38, 3 (July), 620-650. Google Scholar
- GELFOND,M.AND LIFSCHITZ, V. 1988. The stable model semantics for logic programming. In Fifth International Conference and Symposium on Logic Programming Proceedings (Seattle, WA, Aug. 15-19), 1070-1080.Google Scholar
- GOTTLOB, G., MARCUS, S., NERODE, A., SALZER, G., AND SUBRAHMANIAN, V. 1996. A nonground realization of the stable and well-founded semantics. Theor. Comput. Sci. 166, 1&2, 221-262. Google Scholar
- GUPTA, A., MUMICK, I., AND SUBRAHMANIAN, V. 1993. Maintaining views incrementally. In ACM SIGMOD International Conference on Management of Data Proceedings (Washington D.C., May 26-28), 157-166. Google Scholar
- INFORMIX SOFTWARE. 1994. The Informix Guide to SQL: Reference and Using Triggers, 1/e, Prentice Hall, Englewood Cliffs, NJ. Google Scholar
- JAJODIA, S., SAMARATI, P., SUBRAHMANIAN, V., AND BERTINO, E. 1997. A unified framework for enforcing multiple access control policies. In ACM SIGMOD International Conference on Management of Data Proceedings (Tucson, AZ, May 13-15). Google Scholar
- LU, J., LUDASCHER, B., SCHU, J., AND SUBRAHMANIAN, V. 1996. Well-founded views in constraint databases: Incremental materialization and maintenance. Tech. Rep., University of Maryland.Google Scholar
- LU, J., MOERKOTTE, G., SCHU, J., AND SUBRAHMANIAN, V. 1995. Efficient maintenance of materialized mediated views. In ACM SIGMOD International Conference on Management of Data Proceedings (San Jose, CA, May 22-25). Google Scholar
- NIEZETTE,M.AND STEVENNE, J. 1992. An efficient symbolic representation of periodic time. In First International Conference on Information and Knowledge Management Proceedings. (Baltimore, MD, Nov. 2-5).Google Scholar
- REVESZ, P. 1993. A closed form evaluation for Datalog queries with integer (gap)-order constraints. Theor. Comput. Sci. 116, 1, 117-149. Google Scholar
- REVESZ, P. 1995. Safe stratified Datalog with integer order programs. In First International Conference on Principles and Practice of Constraint Programming Proceedings (Cassis, France, Sept. 19-22), 154-169. Google Scholar
- STEINER,J.G.,NEUMAN, C., AND SCHILLER, J. I. 1988. Kerberos: An authentication service for open network systems. In USENIX Conference Proceedings (Dallas, TX, Winter 1988), 191-202.Google Scholar
- TOMAN, D., CHOMICKI, J., AND ROGERS, D. 1994. Datalog with integer periodicity constraints. In International Logic Programming Symposium Proceedings (Ithaca, NY, Nov. 13-14), 189-203. Google Scholar
- WOO,T.AND LAM, S. 1993. Authorizations in distributed systems: A new approach. J. Comput. Sec. 2, 2&3, 107-136.Google Scholar
Index Terms
- An access control model supporting periodicity constraints and temporal reasoning
Recommendations
A Generalized Temporal Role-Based Access Control Model
Role-based access control (RBAC) models have generated a great interest in the security community as a powerful and generalized approach to security management. In many practical scenarios, users may be restricted to assume roles only at predefined time ...
Constraints-based access control
Das'01: Proceedings of the fifteenth annual working conference on Database and application securityThe most important aspect of security in a database after establishing the authenticity of the user is its access control mechanism. The ability of this access control mechanism to express the security policy can make or break the system.This paper ...
An architecture for specification and enforcement of temporal access control constraints using OWL
SWS '09: Proceedings of the 2009 ACM workshop on Secure web servicesThe Semantic Web is an extension of the World Wide Web that has been growing in recent years. One important issue in the Semantic Web environment is access control. Integrating Role-Based Access Control (RBAC) models, which have been accepted as a ...
Comments