1 Temporal Location-Aware Access Control Model Based on Composite Events Presented by Yu, Lijun [email protected]
Feb 05, 2016
1
Temporal Location-Aware Access Control Model Based on Composite Events
Presented by Yu, Lijun
2
Outline
Motivation Background The TL-RBAC model
Composite event model Conditions Actions
Conclusion and future work
3
Motivation
Manager John agrees with the employee Bob that he can track Bob’s location only during office hours and when Bob is in office, i.e. 9AM – 5PM, M-F
Bob paid twenty dollars per month for roadside assistant service so that he can use that service for up to thirty hours per week
Solution: A combined temporal and location based RBAC model
4
Background
PA
Session_rolesUser_sessions
USERS ROLES
SESSIONS
PRMS
OPS OBS
RH
UA
5
Temporal RBAC model
Temporal constraints User assignment Permission assignment Role activation Role enabling RBAC Constraints
Temporal constraints can be Duration constraints Periodic constraints
6
Temporal RBAC model
Role Status Expressions Role Triggers Run-time requests Execution model
7
Location-based access control model
Location is modeled as a set of points Location constraints on
User assignment Permission assignment Role activation Permission (object location)
Users have dynamic access control at different user location and object location
8
The TL-RBAC model
Composite event model Conditions Actions
9
Composite event model
Based on the Snoop event specification language for active databases
Extension Primitive RBAC events Primitive location-based events Duration composite constructs
10
Composite event model
Primitive events Primitive RBAC events Primitive location-based events
Temporal Composite events
Periodic / APeriodic Disjunction / Conjunction Sequence Duration
11
TL-RBAC system state The TL-RBAC system state is a tuple S = <ER, UA, UT, PA, RS> where ER Roles is a set of enabled roles, UA: Users (Roles) is a function to get the set of roles assigned to the user UT: Users (Roles) is a function to get the set of roles activated by the user PA: Roles(Permissions) is a function to get the assigned set of permission of
a role RS = TimePriorityExpressions is the set of role enabling expressions, where
Expressions can be one of the following formats: assign r to u, that is assign role r to user u de-assign r to u, that is de-assign role r from user u assign p to r, that is assign permission p to role r de-assign p to r, that is de-assign permission p from role r enable r, that is enable role r disable r, that is disable role r activate r for u, that is activate role r by user u deactivate r for u, that is deactivate role r by user u
12
TL-RBAC predicates
TL-RBAC predicates are boolean expressions comprised of role status predicates and location-based predicates where
Role status predicates can be: r er indicates whether role r is enabled in set er ER r ua(u) indicates whether role r is assigned to user u in fun
ction ua UA r ut(u) indicates whether role r is activated by user u in fun
ction ut UT p pa(r) indicates whether permission p is assigned to role r
by function pa PA Location-based predicates can be:
location(u) loc location(obj) loc loc1 = loc2
13
TL-RBAC Action and Action Semantics
The TL-RBAC action is defined as ActionsPriorityExpressions, where Actions = {Add, Remove, Execute}
The semantics of each TL-RBAC action is modeled as transition of TL-RBAC system state, that is
S(ER, UA, UT, PA, RS)S’(ER’, UA’, UT’, PA’, RS’) where S is the TL-RBAC system state before the action and S’ is the state after the action.
14
Runtime Request
Event: [Now] + [t] Condition: TL-RBAC predicates Actions: TL-RBAC-Action(t, <Execute, p, e>)
where t is the time that the event occurs, p Priority and e Expressions
15
Role Trigger
Event: Any(n, E1, E2, …, En) + [t] Condition: TL-RBAC predicates Actions: TL-RBAC-Action(t, <Execute, p, e>)
where t is the time that the event occurs, p Priority and e Expressions
16
Periodic TL-RBAC Constraints Monday = P([09:00:00)04/04/2005], [7days], [*/*/*])) Friday = P([09:00:00)04/08/2005], [7days], [*/*/*])) Ebegin = Any(1, Monday, Friday) Eend = Ebgin + [8 hours]
Event: Ebegin Condition: true Actions: TL-RBAC-Action(t, <Add, 100, enable part-time employ
ee>) where t is the time that the event occurs
Event: Eend Condition: true Actions: TL-RBAC-Action(t, <Remove, 100, enable part-time em
ployee>) where t is the time that the role enabling expression is added
17
Duration TL-RBAC Constraints
E1 = D*(activate player for John, [30 minutes], deactivate play for John)
Event: A([(09:00:00)*/*/*], E1, [(17:00:00)*/*/*])
Condition: true Actions: TL-RBAC-Action(t, <Execute, , dea
ctivate player for John>) where t is the time that the event occurs
18
Location-based TL-RBAC Constraints
Event: User Location Changing or Object Location Changing
Condition: TL-RBAC predicates Actions: TL-RBAC-Action(t, <a, p, e>) where t
is the time that the event occurs, a Actions, p Priority and e Expressions
19
Related work
Snoop model independent event specification language for active databases
S. Chakravarthy and D. Mishra [3]
The temporal RBAC model (TRBAC) and GTRBAC model
Elisa Bertino James Joshi et al.
The LRBAC model
20
Conclusion and future work
Duration Event detection
Temporal Role hierarchy
Temporal cardinality constraints
21
Questions