An Integrated Approach for the Enforcement of Contextual Permissions and Pre-Obligations

An Integrated Approach for the Enforcement of Contextual Permissions and Pre-Obligations

Yehia Elrakaiby (TELECOM Bretagne, France), Frédéric Cuppens (TELECOM Bretagne, France) and Nora Cuppens-Boulahia (TELECOM Bretagne, France)
DOI: 10.4018/jmcmc.2011040103
OnDemand PDF Download:
No Current Special Offers


Pre-obligations denote actions that may be required before access is granted. The successful fulfillment of pre-obligations leads to the authorization of the requested access. Pre-obligations enable a more flexible enforcement of authorization policies. This paper formalizes interactions between the obligation and authorization policy states when pre-obligations are supported and investigates their use in a practical scenario. The main advantage of the presented approach is that it gives pre-obligations both declarative semantics using predicate logic and operational semantics using Event-Condition-Action (ECA) rules. Furthermore, the presented framework enables policy designers to easily choose to evaluate any pre-obligation either (1) statically (an access request is denied if the pre-obligation has not been fulfilled); or (2) dynamically (users are given the possibility to fulfill the pre-obligation after the access request and before access is authorized).
Article Preview


Traditional security policy systems provided a simple yes/no answer to access requests. However, it was recognized that access often depends on some user-actions being performed before access is granted. For instance, an access rule may specify that users are allowed to download music files provided that they pay 1$ first. In this case, if a user requests to download, for example, the latest single of Muse, s\he is asked to pay 1$. If the payment is made successfully, the user is allowed to download the requested file. Such requirements are called pre-obligations. Neither traditional access control models such as DAC (NCSC, 1987) and RBAC (Ferraiolo & Kuhn, 1992) nor more recent contextual security models such as ASL (Jajodia, Samarati, & Subrahmanian, 1997) and OrBAC (Abou El Kalam et al., 2003) support preobligations: In these models, an access request is only allowed if the conditions associated with a permission authorizing the access are true when the access request is made.

There are several advantages of supporting pre-obligations in the policy language. First, this provides additional expressiveness since it enables policy administrators to specify that subjects may fulfill some of the access requirements after the access request. Furthermore, it separates the expression of requirements from the functional specification (the code) of the application. Thus, the analysis of policy requirements is simplified and administrators are able to modify the behavior of the system by updating policy rules without recoding the application.

To support pre-obligations, a number of works (Bettini, Jajodia, Wang, & Wijesekera, 2002, 2003 ; Ni, Bertino, & Lobo, 2008) subordinate obligations to access control rules. This approach has some limitations. For instance, obligations are only activated after access requests and general obligations are not supported. In addition, this approach generally produces intricate access control policies since permissions and obligations are often specified within the same rule. This is the approach used in (Ni et al., 2008) to specify permissions and their associated pre-obligations. The main limitation of previous works on pre-obligations is however that none formalized the effects of supporting pre-obligations on the evolution of the authorization and obligation policy states. This is essential to provide a deeper understanding of pre-obligations and their enforcement in information systems. In addition, this formal approach allows the study and the analysis of change in the authorization and obligation policy states in the presence of pre-obligations. Therefore, it enables, for instance, to derive plans to reach some particular authorization states (Becker & Nanz, 2008 ; Craven et al., 2009) or to explain the deactivation of pre-obligations after permission activation.

In this paper, we study the specification and the enforcement of pre-obligations. In our approach, we formalize the enforcement of pre-obligations using an extension of the language Lactive (Baral & Lobo, 1996). Lactive enables the description of change in state using concepts from action specification languages (Gelfond & Lifschitz, 1993).Thus, it enables reasoning about state evolution and the study of interactions between pre-obligations and the authorization and obligation policy states. Lactive also supports the specification of reactive behavior using active rules. This feature enables us to provide formal operational semantics for the enforcement of pre-obligations.

Complete Article List

Search this Journal:
Volume 13: 4 Issues (2022): 1 Released, 3 Forthcoming
Volume 12: 4 Issues (2021)
Volume 11: 4 Issues (2020)
Volume 10: 4 Issues (2019)
Volume 9: 4 Issues (2018)
Volume 8: 4 Issues (2017)
Volume 7: 4 Issues (2016)
Volume 6: 4 Issues (2014)
Volume 5: 4 Issues (2013)
Volume 4: 4 Issues (2012)
Volume 3: 4 Issues (2011)
Volume 2: 4 Issues (2010)
Volume 1: 4 Issues (2009)
View Complete Journal Contents Listing