Research Article
Function-Based Authorization Constraints Specification and Enforcement
@INPROCEEDINGS{10.1109/IAS.2007.40, author={ Wei ZhoU and Christoph Meinel}, title={Function-Based Authorization Constraints Specification and Enforcement}, proceedings={3rd International ICST Symposium on Information Assurance and Security}, publisher={IEEE}, proceedings_a={IAS}, year={2007}, month={9}, keywords={Access control authorization constraints constraints enforcement constraints specification}, doi={10.1109/IAS.2007.40} }- Wei ZhoU
Christoph Meinel
Year: 2007
Function-Based Authorization Constraints Specification and Enforcement
IAS
IEEE
DOI: 10.1109/IAS.2007.40
Abstract
Constraints are an important aspect of role-based access control (RBAC) and its different extensions. They are often regarded as one of the principal motivation behind these access control models. In this paper, we introduce two novel authorization constraint specification schemes named as prohibition constraint scheme and obligation constraint scheme. Both of them can be used for expressing and enforcing authorization constraints. These schemes strongly bind to authorization entity set functions and authorization entity relation functions, so they can provide the system designers a clear view about which functions should be defined in an authorization constraint system. Based on these functions, different kinds of constraint schemes can be easily defined. The security administrators can use these functions to create constraint schemes for their day-to-day operations. The constraint system can be scalable through defining new functions. This approach goes beyond the well known separation of duty constraints, and considers many aspects of entity relation constraints.