210 likes | 307 Views
Temporal Location-Aware Access Control Model Based on Composite Events. Presented by Yu, Lijun lijun@cs.colostate.edu. Outline. Motivation Background The TL-RBAC model Composite event model Conditions Actions Conclusion and future work. Motivation.
E N D
Temporal Location-Aware Access Control Model Based on Composite Events Presented by Yu, Lijun lijun@cs.colostate.edu
Outline • Motivation • Background • The TL-RBAC model • Composite event model • Conditions • Actions • Conclusion and future work
Motivation • Manager John agrees with the employee Bob that he can track Bob’s location only during office hours and when Bob is in office, i.e. 9AM – 5PM, M-F • Bob paid twenty dollars per month for roadside assistant service so that he can use that service for up to thirty hours per week • Solution: A combined temporal and location based RBAC model
RH PRMS UA PA OBS OPS USERS ROLES User_sessions Session_roles SESSIONS Background
Temporal RBAC model • Temporal constraints • User assignment • Permission assignment • Role activation • Role enabling • RBAC Constraints • Temporal constraints can be • Duration constraints • Periodic constraints
Temporal RBAC model • Role Status Expressions • Role Triggers • Run-time requests • Execution model
Location-based access control model • Location is modeled as a set of points • Location constraints on • User assignment • Permission assignment • Role activation • Permission (object location) • Users have dynamic access control at different user location and object location
The TL-RBAC model • Composite event model • Conditions • Actions
Composite event model • Based on the Snoop event specification language for active databases • Extension • Primitive RBAC events • Primitive location-based events • Duration composite constructs
Composite event model • Primitive events • Primitive RBAC events • Primitive location-based events • Temporal • Composite events • Periodic / APeriodic • Disjunction / Conjunction • Sequence • Duration
TL-RBAC system state • The TL-RBAC system state is a tuple S = <ER, UA, UT, PA, RS> where • ER Roles is a set of enabled roles, • UA: Users(Roles) is a function to get the set of roles assigned to the user • UT: Users(Roles) is a function to get the set of roles activated by the user • PA: Roles(Permissions) is a function to get the assigned set of permission of a role • RS = TimePriorityExpressions is the set of role enabling expressions, where Expressions can be one of the following formats: • assign r to u, that is assign role r to user u • de-assign r to u, that is de-assign role r from user u • assign p to r, that is assign permission p to role r • de-assign p to r, that is de-assign permission p from role r • enable r, that is enable role r • disable r, that is disable role r • activate r for u, that is activate role r by user u • deactivate r for u, that is deactivate role r by user u
TL-RBAC predicates • TL-RBAC predicates are boolean expressions comprised of role status predicates and location-based predicates where • Role status predicates can be: • r er indicates whether role r is enabled in set er ER • r ua(u) indicates whether role r is assigned to user u in function ua UA • r ut(u) indicates whether role r is activated by user u in function ut UT • p pa(r) indicates whether permission p is assigned to role r by function pa PA • Location-based predicates can be: • location(u) loc • location(obj) loc • loc1 = loc2
TL-RBAC Action and Action Semantics • The TL-RBAC action is defined as ActionsPriorityExpressions, where Actions = {Add, Remove, Execute} • The semantics of each TL-RBAC action is modeled as transition of TL-RBAC system state, that is • S(ER, UA, UT, PA, RS)S’(ER’, UA’, UT’, PA’, RS’) where S is the TL-RBAC system state before the action and S’ is the state after the action.
Runtime Request • Event: [Now] + [t] • Condition: TL-RBAC predicates • Actions: TL-RBAC-Action(t, <Execute, p, e>) where t is the time that the event occurs, p Priority and e Expressions
Role Trigger • Event: Any(n, E1, E2, …, En) + [t] • Condition: TL-RBAC predicates • Actions: TL-RBAC-Action(t, <Execute, p, e>) where t is the time that the event occurs, p Priority and e Expressions
Periodic TL-RBAC Constraints • Monday = P([09:00:00)04/04/2005], [7days], [*/*/*])) • Friday = P([09:00:00)04/08/2005], [7days], [*/*/*])) • Ebegin = Any(1, Monday, Friday) • Eend = Ebgin + [8 hours] • Event: Ebegin • Condition: true • Actions: TL-RBAC-Action(t, <Add, 100, enable part-time employee>) where t is the time that the event occurs • Event: Eend • Condition: true • Actions: TL-RBAC-Action(t, <Remove, 100, enable part-time employee>) where t is the time that the role enabling expression is added
Duration TL-RBAC Constraints • E1 = D*(activate player for John, [30 minutes], deactivate play for John) • Event: A([(09:00:00)*/*/*], E1, [(17:00:00)*/*/*]) • Condition: true • Actions: TL-RBAC-Action(t, <Execute, , deactivate player for John>) where t is the time that the event occurs
Location-based TL-RBAC Constraints • Event: User Location Changing or Object Location Changing • Condition: TL-RBAC predicates • Actions: TL-RBAC-Action(t, <a, p, e>) where t is the time that the event occurs, a Actions, p Priority and e Expressions
Related work • Snoop model independent event specification language for active databases • S. Chakravarthy and D. Mishra [3] • The temporal RBAC model (TRBAC) and GTRBAC model • Elisa Bertino James Joshi et al. • The LRBAC model
Conclusion and future work • Duration Event detection • Temporal Role hierarchy • Temporal cardinality constraints