In this paper we present a temporal access control model that provides for decentralized administration of authorizations. Each access authorization, negative or positive, is associated with a time interval limiting its validity. When the interval expires, the authorization is automatically revoked. The model also permits the specification of rules, based on four different temporal operators, to derive additional authorizations from the presence or absence of other authorizations. Users creating objects can retain complete control over their objects or delegate other users the privilege of administering accesses on the objects. Delegation can also be selectively enforced with reference to specific access modes or time intervals. The resulting model provides a high degree of flexibility and allows to express several protection requirements which cannot be expressed in traditional access control models.
Decentralized administration for a temporal access control model / E. Bertino, C. Bettini, E. Ferrari, P. Samarati. - In: INFORMATION SYSTEMS. - ISSN 0306-4379. - 22:4(1997 Jun), pp. 223-248.
Decentralized administration for a temporal access control model
E. BertinoPrimo
;C. BettiniSecondo
;P. SamaratiUltimo
1997
Abstract
In this paper we present a temporal access control model that provides for decentralized administration of authorizations. Each access authorization, negative or positive, is associated with a time interval limiting its validity. When the interval expires, the authorization is automatically revoked. The model also permits the specification of rules, based on four different temporal operators, to derive additional authorizations from the presence or absence of other authorizations. Users creating objects can retain complete control over their objects or delegate other users the privilege of administering accesses on the objects. Delegation can also be selectively enforced with reference to specific access modes or time intervals. The resulting model provides a high degree of flexibility and allows to express several protection requirements which cannot be expressed in traditional access control models.Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.