Abstract
In this paper we present a powerful authorization mechanism which provides support for: (1) periodic authorizations (both positive and negative), that is, authorizations that hold only in specific periods of time; (2) user-defined deductive temporal rules, by which new authorizations can be derived from those explicitly specified; (3) a hierarchical organization of subjects and objects, supporting a more adequate representation of their semantics. From the authorizations explicitly specified, additional authorizations are automatically derived by the system based on those hierarchies. The resulting model is therefore very flexible in terms of the kinds of protection requirements that it can represent. The flexibility provided to the users requires a non trivial underlying formal model where temporal constraints, derivation rules and object and subject hierarchies can be represented. In particular, when inheritance and derivation rules are used simultaneously, there is need for conditions ensuring that the authorization base is free from ambiguities. In this paper, we introduce a notion of safeness , and prove that it guarantees the absence of ambiguities and inconsistencies in the specification. Moreover, we define an efficient algorithm for computing authorizations from safe specifications. Finally, we provide a methodology for supporting temporal authorizations in heterogeneous, distributed systems.
Get full access to this article
View all access options for this article.