Rewrite Specifications of Access Control Policies in Distributed Environments

Bertolissi, Clara; Fernández, Maribel

doi:10.1007/978-3-642-22444-7_4

Cited by 8 publications

(9 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This paper is based on preliminary work on rewrite-based specifications for the category-based metamodel presented in [19,20], and extends this previous work by providing new applications and new techniques for the analysis of policies obtained as instances of the metamodel.…”

Section: Introductionmentioning

confidence: 86%

“…Following [20], we first axiomatise a distributed access control metamodel, then give a rewrite-based operational semantics for this metamodel using the techniques introduced in [18], which allow us to deal in a uniform way with distributed systems where different access control policies are maintained locally. We demonstrate the expressive power of the distributed metamodel by showing how a distributed, dynamic, event-based access control model (the Distributed DEBAC model [18]) can be defined as an instance of the metamodel.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A metamodel of access control for distributed environments: Applications and properties

Bertolissi

Fernández

2014

Information and Computation

Self Cite

View full text Add to dashboard Cite

We describe a metamodel for access control, designed to take into account the specific requirements of distributed environments. We see a distributed system consisting of several sites, each with its own resources to protect, as a federation, and propose a framework for the specification (and enforcement) of global access control policies that take into account the local policies specified by each member of the federation. The framework provides mechanisms to specify heterogeneous local access control policies, to define policy composition operators, and to use them to define conflict-free access authorisation decisions. We use a declarative formalism in order to give an operational semantics to the distributed metamodel. We then show how properties of policies can be directly obtained from standard results for the operational semantics of access request evaluation.

show abstract

Section: Introductionmentioning

confidence: 86%

Section: Introductionmentioning

confidence: 99%

A metamodel of access control for distributed environments: Applications and properties

Bertolissi

Fernández

2014

Information and Computation

Self Cite

View full text Add to dashboard Cite

show abstract

“…An axiomatisation of distributed category-based access control was proposed in [18] to specify federative policies as a composition of individual access control policies. In a federation, each member has its own access control policy, and contributes to the definition of a global access control policy.…”

Section: Preliminaries: Category-based Access Control Policiesmentioning

confidence: 99%

“…Previous works on CBAC policies have used only textual languages and have focused mainly on the expressivity of the model, the analysis of policies and the techniques that can be used to enforce policies [9,17,18,19,1]. Graphbased languages have been used in the literature to model and analyse access control problems, but not within CBAC (with the exception of [3], which is the basis for this paper and considers CBAC policies without prohibitions).…”

Section: Related Workmentioning

confidence: 99%

A graph-based framework for the analysis of access control policies

Alves¹,

Fernández²

2017

Theoretical Computer Science

Self Cite

View full text Add to dashboard Cite

We design a graph-based framework for the analysis of access control policies that aims at easing the specification and verification tasks for security administrators. We consider policies in the category-based access control model, which has been shown to subsume many of the most well known access control models (e.g., MAC, DAC, RBAC). Using a graphical representation of category-based policies, we show how answers to usual administrator queries can be automatically computed, and properties of access control policies checked. We show applications in the context of emergency situations, where our framework can be used to analyse the interaction between access control and emergency management.

show abstract

“…There are other alternatives, e.g., considering undeterminate as answer if there is not enough information to grant the request. More generally, the relations BARCA and BAR were introduced in [6] to explicitly represent prohibitions, that is, to specify that an action is forbidden on a resource; UN DET was introduced to specify undeterminate answers. These relations obey the following axioms:…”

Section: Preliminariesmentioning

confidence: 99%

Access Control and Obligations in the Category-Based Metamodel: A Rewrite-Based Semantics

Alves

Degtyarev

Fernández

2015

Logic-Based Program Synthesis and Transformation

Self Cite

View full text Add to dashboard Cite

We define an extension of the category-based access control (CBAC) metamodel to accommodate a general notion of obligation. Since most of the well-known access control models are instances of the CBAC metamodel, we obtain a framework for the study of the interaction between authorisation and obligation, such that properties may be proven of the metamodel that apply to all instances of it. In particular, the extended CBAC metamodel allows security administrators to check whether a policy combining authorisations and obligations is consistent.

show abstract

Rewrite Specifications of Access Control Policies in Distributed Environments

Cited by 8 publications

References 30 publications

A metamodel of access control for distributed environments: Applications and properties

A metamodel of access control for distributed environments: Applications and properties

A graph-based framework for the analysis of access control policies

Access Control and Obligations in the Category-Based Metamodel: A Rewrite-Based Semantics

Contact Info

Product

Resources

About