article

Flexible access control policy specification with constraint logic programming

Authors:

Peter J. StuckeyAuthors Info & Claims

ACM Transactions on Information and System Security (TISSEC), Volume 6, Issue 4

Pages 501 - 546

https://doi.org/10.1145/950191.950194

Published: 01 November 2003 Publication History

Abstract

We show how a range of role-based access control (RBAC) models may be usefully represented as constraint logic programs, executable logical specifications. The RBAC models that we define extend the "standard" RBAC models that are described by Sandhu et al., and enable security administrators to define a range of access policies that may include features, like denials of access and temporal authorizations, that are often useful in practice, but which are not widely supported in existing access control models. Representing access policies as constraint logic programs makes it possible to support certain policy options, constraint checks, and administrator queries that cannot be represented by using related methods (like logic programs). Representing an access control policy as a constraint logic program also enables access requests and constraint checks to be efficiently evaluated.

References

[1]

Ahn, G. and Sandhu, R. 2000. Role-based authorization constraints specification. ACM Trans. on Information and System Security 3, 4, 206--227.]]

[2]

Atluri, V. and Huang, W. 1996. An authorization model for workflows. In ESORICS'96. LNCS, vol. 1146. Springer, Berlin, 44--64.]]

[3]

Barker, S. 2000a. Data protection by logic programming. In Proceedings of 1st International Conference on Computational Logic. LNAI, vol. 1861. Springer, Berlin, 1300--1314.]]

[4]

Barker, S. 2000b. Protecting deductive databases from unauthorized retrievals. In DBSec 2000. Kluwer, Dordrecht, The Netherlands, 301--311.]]

[5]

Barker, S. 2001. TRBACN: A temporal authorization model. In Information Assurance in Computer Networks. Methods, Models and Architectures for Network Security. H. Gorodetski, V. Skormin, and L. Popyack, Eds. LNCS, vol. 2052. Springer, Berlin, 178--188.]]

[6]

Barker, S. and Rosenthal, A. 2001. Flexible security policies in SQL. In DBSec 2001. Kluwer, Dordrecht, The Netherlands, 167--180.]]

[7]

Bertino, E., Bettini, C., Ferrari, E., and Samarati, P. 1998. An access control model supporting periodicity constraints and temporal reasoning. ACM TODS 23, 3, 231--285.]]

[8]

Bertino, E., Bonatti, P., and Ferrari, E. 2000. TRBAC: A temporal role-based access control model. In Proceedings of 5th ACM Workshop on Role-Based Access Control, 21--30.]]

[9]

Bertino, E., Catania, B., Ferrari, E., and Perlasca, P. 2002. A system to specify and manage multipolicy access control models. In Proceedings of POLICY 2002. IEEE Computer Society Press, Los Alamitos, CA, 116--127.]]

[10]

Castano, S., Fugini, M., Martella, G., and Samarati, P. 1995. Database Security. Addison-Wesley, Reading, MA.]]

[11]

Cavedon, L. and Lloyd, J. 1989. A completeness theorem for SLDNF resolution. JLP 7, 3, 177--192.]]

[12]

Date, C. 2000. An Introduction to Database Systems. Addison-Wesley, Reading, MA.]]

[13]

Ferraiolo, D., Cugini, J., and Kuhn, R. 1995. Role-based access control (RBAC): Features and motivations. In Proceedings of the 11th Annual Computer Security Applications Conference, 241--248.]]

[14]

Gelfond, M. and Lifschitz, V. 1988. The stable model semantics for logic programming. In Proceedings of 5th International Conference and Symposium on Logic Programming. R. Kowalski and K. Bowen, Eds. MIT Press, Cambridge, MA, 1070--1080.]]

[15]

Genaim, S. and Codish, M. 2001. Inferring termination conditions for logic programs using backwards analysis. In Proceedings of 8th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning. R. Nieuwenhuis and A. Voronkov, Eds. Lecture Notes in Computer Science, vol. 2250. Springer, Berlin, 685--694.]]

[16]

Greco, S., Leone, N., and Rullo, P. 1992. Complex: An object-oriented logic programming system. IEEE TKDE 4, 4, 72--87.]]

[17]

Jaffar, J., Michaylov, S., Stuckey, P., and Yap, R. 1992. The CLP(R) language and system. ACM Trans. Program. Lang. Syst. 14, 3, 339--395.]]

[18]

Jajodia, S., Samarati, P., Sapino, M., and Subrahmaninan, V. 2001. Flexible support for multiple access control policies. ACM TODS 26, 2, 214--260.]]

[19]

Kelly, A., Macdonald, A., Marriott, K., and Stuckey, P. 1998. Optimizing compilation for CLP(R). ACM Trans. Program. Lang. Syst. 20, 6, 1223--1250.]]

[20]

Kowalski, R. 1979. Logic for Problem Solving. Elsevier-North Holland, Amsterdam.]]

[21]

Lloyd, J. 1987. Foundations of Logic Programming. Springer, Berlin.]]

[22]

Marriott, K., Sondergaard, H., and Dart, P. 1990. A characterization of non-floundering logic programs. In Proceedings of the 1990 North American Conference on Logic Programming. MIT Press, Cambridge, MA.]]

[23]

Marriott, K. and Stuckey, P. 1998. Programming with Constraints: An Introduction. MIT Press, Cambridge, MA.]]

[24]

Przymusinski, T. 1988. On the declarative semantics of deductive databases and logic programming. In Foundations of Deductive Databases and Logic Programming. J. Minker, Ed. Morgan-Kaufmann, San Mateo, CA, 193--216.]]

[25]

Reiter, R. 1980. A logic for default reasoning. Artificial Intelligence 13, 81--132.]]

[26]

Sandhu, R., Bhamidipati, V., Coyne, E., Ganta, S., and Youman, C. 1997. The ARBAC97 model for role-based administration of roles: Preliminary description and outline. In Proceedings 2nd ACM Workshop on Role-Based Access Control, 41--49.]]

[27]

Sandhu, R., Coyne, E., Feinstein, H., and Youman, C. 1996. Role-based access control models. IEEE Computer 29, 2, 38--47.]]

[28]

Sandhu, R., Ferraiolo, D., and Kuhn, R. 2000. The NIST model for role-based access control: Towards a unified standard. In Proceedings of 4th ACM Workshop on Role-Based Access Control, 47--61.]]

[29]

SICStus 1999. Sicstus prolog home page. http://www.sics.se/sicstus/.]]

[30]

Speirs, C., Somogyi, Z., and Søndergaard, H. 1997. Termination analysis for mercury. In Proceedings of 4th International Symposium on Static Analysis. P. V. Hentenryck, Ed. Lecture Notes in Computer Science, vol. 1302. Springer, Berlin, 160--171.]]

[31]

Sterling, L. and Shapiro, E. 1994. The Art of PROLOG. MIT Press, Cambridge, MA.]]

[32]

Stuckey, P. 1995. Negation and constraint logic programming. Information and Computation 118, 1, 12--33.]]

[33]

Woo, T. and Lam, S. 1993. Authorizations in distributed systems: A new approach. Journal of Computer Security 2, 2/3, 107--136.]]

Cited By

Bucuti TDantu RMorozov KKerschbaum FMashatan ANiu JLee A(2019)CMCAPProceedings of the 24th ACM Symposium on Access Control Models and Technologies10.1145/3322431.3325414(207-212)Online publication date: 28-May-2019
https://dl.acm.org/doi/10.1145/3322431.3325414
Kabir ESun LWang H(2019)Finding an Optimum Set of Roles in a CPAC Model2019 International Conference on Networking and Network Applications (NaNA)10.1109/NaNA.2019.00014(27-33)Online publication date: Oct-2019
https://doi.org/10.1109/NaNA.2019.00014
Zou YDeng JXu CLiang XChen X(2019)Semantic Rule Based RBAC Extension Model for Flexible Resource Allocation2019 12th International Symposium on Computational Intelligence and Design (ISCID)10.1109/ISCID.2019.10134(221-224)Online publication date: Dec-2019
https://doi.org/10.1109/ISCID.2019.10134
Show More Cited By

Index Terms

Flexible access control policy specification with constraint logic programming

Recommendations

Configuring role-based access control to enforce mandatory and discretionary access control policies

Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Delegation in role-based access control

User delegation is a mechanism for assigning access rights available to one user to another user. A delegation can either be a grant or transfer operation. Existing work on delegation in the context of role-based access control models has extensively ...
Discretionary access control with the administrative role graph model
SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies

Previous research examining the mapping of discretionary access control (DAC) to role-based access control (RBAC) has considered neither ownership nor further granting of privileges. We show how to accomplish this by mapping from a relational database ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security

ACM Transactions on Information and System Security Volume 6, Issue 4

November 2003

146 pages

ISSN:1094-9224

EISSN:1557-7406

DOI:10.1145/950191

Issue’s Table of Contents

Copyright © 2003 ACM.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 November 2003

Published in TISSEC Volume 6, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

86
Total Citations
View Citations
1,971
Total Downloads

Downloads (Last 12 months)11
Downloads (Last 6 weeks)2

Reflects downloads up to 22 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bucuti TDantu RMorozov KKerschbaum FMashatan ANiu JLee A(2019)CMCAPProceedings of the 24th ACM Symposium on Access Control Models and Technologies10.1145/3322431.3325414(207-212)Online publication date: 28-May-2019
https://dl.acm.org/doi/10.1145/3322431.3325414
Kabir ESun LWang H(2019)Finding an Optimum Set of Roles in a CPAC Model2019 International Conference on Networking and Network Applications (NaNA)10.1109/NaNA.2019.00014(27-33)Online publication date: Oct-2019
https://doi.org/10.1109/NaNA.2019.00014
Zou YDeng JXu CLiang XChen X(2019)Semantic Rule Based RBAC Extension Model for Flexible Resource Allocation2019 12th International Symposium on Computational Intelligence and Design (ISCID)10.1109/ISCID.2019.10134(221-224)Online publication date: Dec-2019
https://doi.org/10.1109/ISCID.2019.10134
Zedan HAl-Sultan S(2017)The specification and design of secure context-aware workflowsExpert Systems with Applications10.1016/j.eswa.2017.05.07886(367-384)Online publication date: Nov-2017
https://doi.org/10.1016/j.eswa.2017.05.078
Fernández MKantarcioglu MThuraisingham B(2016)A Framework for Secure Data Collection and Management for Internet of ThingsProceedings of the 2nd Annual Industrial Control System Security Workshop10.1145/3018981.3018982(30-37)Online publication date: 6-Dec-2016
https://dl.acm.org/doi/10.1145/3018981.3018982
Bertolissi CFernández M(2014)A metamodel of access control for distributed environmentsInformation and Computation10.1016/j.ic.2014.07.009238:C(187-207)Online publication date: 1-Nov-2014
https://dl.acm.org/doi/10.1016/j.ic.2014.07.009
Bertolissi CUttha WMight MVan Horn DGiacobazzi RAbel ASheard T(2013)Automated analysis of rule-based access control policiesProceedings of the 7th workshop on Programming languages meets program verification10.1145/2428116.2428125(47-56)Online publication date: 22-Jan-2013
https://dl.acm.org/doi/10.1145/2428116.2428125
Zhang WLin Z(2013)Representation and Reasoning on RBAC: A Nonmonotonic ApproachKnowledge Science, Engineering and Management10.1007/978-3-642-39787-5_19(230-240)Online publication date: 2013
https://doi.org/10.1007/978-3-642-39787-5_19
Kencana Ramli CNielson HNielson F(2013)XACML 3.0 in Answer Set ProgrammingLogic-Based Program Synthesis and Transformation10.1007/978-3-642-38197-3_7(89-105)Online publication date: 2013
https://doi.org/10.1007/978-3-642-38197-3_7
Barker S(2012)Logical approaches to authorization policiesLogic Programs, Norms and Action10.5555/2340883.2340908(349-373)Online publication date: 1-Jan-2012
https://dl.acm.org/doi/10.5555/2340883.2340908
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents