Despite considerable advancements in the area of access control and authorization languages, current approaches to enforcing access control are all based on monolithic and complete specifications. This results limiting when restrictions to be enforced come from different input requirements, possibly under the control of different authorities, and where the specifics of some requirements may not even be known a priori. Turning individual specifications into a coherent policy to be fed into the access control system requires a nontrivial combination and translation process. This paper addresses the problem of combining authorization specifications that may be independently stated, possibly in different languages and according to different policies. We propose an algebra of security policies together with its formal semantics and illustrate how to formulate complex policies in the algebra and reason about them. A translation of policy expressions into equivalent logic programs is illustrated, which provides the basis for the implementation of the algebra. The algebra's expressiveness is analyzed through a comparison with first-order logic.

An algebra for composing access control policies / P. Bonatti, S. De Capitani di Vimercati, P. Samarati. - In: ACM TRANSACTIONS ON INFORMATION AND SYSTEM SECURITY. - ISSN 1094-9224. - 5:1(2002 Feb), pp. 1-35. [10.1145/504909.504910]

An algebra for composing access control policies

P.A. Bonatti
Primo
;
S. De Capitani di Vimercati
Secondo
;
P. Samarati
Ultimo
2002

Abstract

Despite considerable advancements in the area of access control and authorization languages, current approaches to enforcing access control are all based on monolithic and complete specifications. This results limiting when restrictions to be enforced come from different input requirements, possibly under the control of different authorities, and where the specifics of some requirements may not even be known a priori. Turning individual specifications into a coherent policy to be fed into the access control system requires a nontrivial combination and translation process. This paper addresses the problem of combining authorization specifications that may be independently stated, possibly in different languages and according to different policies. We propose an algebra of security policies together with its formal semantics and illustrate how to formulate complex policies in the algebra and reason about them. A translation of policy expressions into equivalent logic programs is illustrated, which provides the basis for the implementation of the algebra. The algebra's expressiveness is analyzed through a comparison with first-order logic.
Database Administration/Security ; integrity ; protection ; access control ; policy composition ; algebra ; logic programming.
Settore INF/01 - Informatica
Article (author)
File in questo prodotto:
Non ci sono file associati a questo prodotto.
Pubblicazioni consigliate

Caricamento pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/2434/22430
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 230
  • ???jsp.display-item.citation.isi??? ND
social impact