3rd International ICST Symposium on Information Assurance and Security

Research Article

Function-Based Authorization Constraints Specification and Enforcement

  • @INPROCEEDINGS{10.1109/IAS.2007.40,
        author={ Wei  ZhoU and  Christoph  Meinel},
        title={Function-Based Authorization Constraints Specification and Enforcement},
        proceedings={3rd International ICST Symposium on  Information Assurance and Security},
        keywords={Access control  authorization constraints  constraints enforcement  constraints specification},
  • Wei ZhoU
    Christoph Meinel
    Year: 2007
    Function-Based Authorization Constraints Specification and Enforcement
    DOI: 10.1109/IAS.2007.40
Wei ZhoU1,*, Christoph Meinel1,*
  • 1: Hasso-Plattner-Institute University of Potsdam D-14482 Potsdam, Germany
*Contact email: wei.zhou@hpi.uni-potsdam.de, meinel@hpi.uni-potsdam.de


Constraints are an important aspect of role-based access control (RBAC) and its different extensions. They are often regarded as one of the principal motivation behind these access control models. In this paper, we introduce two novel authorization constraint specification schemes named as prohibition constraint scheme and obligation constraint scheme. Both of them can be used for expressing and enforcing authorization constraints. These schemes strongly bind to authorization entity set functions and authorization entity relation functions, so they can provide the system designers a clear view about which functions should be defined in an authorization constraint system. Based on these functions, different kinds of constraint schemes can be easily defined. The security administrators can use these functions to create constraint schemes for their day-to-day operations. The constraint system can be scalable through defining new functions. This approach goes beyond the well known separation of duty constraints, and considers many aspects of entity relation constraints.