Temporal authorization bases: From specification to integration.

Saved in:
Bibliographic Details
Title: Temporal authorization bases: From specification to integration.
Authors: Bertino, Elisa, Bonatti, Piero Andrea, Ferrari, Elena, Sapino, Maria Luisa
Source: Journal of Computer Security. 2000, Vol. 8 Issue 4, p309. 45p. 1 Black and White Photograph, 8 Diagrams.
Subjects: Distributed operating systems (Computers), Database security, Algorithms
Abstract: In this paper we present a powerful authorization mechanism which provides support for: (1) periodic authorizations (both positive and negative), that is, authorizations that hold only in specific periods of time; (2) user-defined deductive temporal rules, by which new authorizations can be derived from those explicitly specified; (3) a hierarchical organization of subjects and objects, supporting a more adequate representation of their semantics. From the authorizations explicitly specified, additional authorizations are automatically derived by the system based on those hierarchies. The resulting model is therefore very flexible in terms of the kinds of protection requirements that it can represent. The flexibility provided to the users requires a non trivial underlying formal model where temporal constraints, derivation rules and object and subject hierarchies can be represented. In particular, when inheritance and derivation rules are used simultaneously, there is need for conditions ensuring that the authorization base is free from ambiguities. In this paper, we introduce a notion of safeness, and prove that it guarantees the absence of ambiguities and inconsistencies in the specification. Moreover, we define an efficient algorithm for computing authorizations from safe specifications. Finally, we provide a methodology for supporting temporal authorizations in heterogeneous, distributed systems. [ABSTRACT FROM AUTHOR]
Copyright of Journal of Computer Security is the property of Sage Publications Inc. and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)
Database: Engineering Source
Description
Abstract:In this paper we present a powerful authorization mechanism which provides support for: (1) periodic authorizations (both positive and negative), that is, authorizations that hold only in specific periods of time; (2) user-defined deductive temporal rules, by which new authorizations can be derived from those explicitly specified; (3) a hierarchical organization of subjects and objects, supporting a more adequate representation of their semantics. From the authorizations explicitly specified, additional authorizations are automatically derived by the system based on those hierarchies. The resulting model is therefore very flexible in terms of the kinds of protection requirements that it can represent. The flexibility provided to the users requires a non trivial underlying formal model where temporal constraints, derivation rules and object and subject hierarchies can be represented. In particular, when inheritance and derivation rules are used simultaneously, there is need for conditions ensuring that the authorization base is free from ambiguities. In this paper, we introduce a notion of safeness, and prove that it guarantees the absence of ambiguities and inconsistencies in the specification. Moreover, we define an efficient algorithm for computing authorizations from safe specifications. Finally, we provide a methodology for supporting temporal authorizations in heterogeneous, distributed systems. [ABSTRACT FROM AUTHOR]
ISSN:0926227X
DOI:10.3233/JCS-2000-8404