Roles’ temporal dimension
Example: the case of part-time staff in a company
- assume that part-time staff is authorized to work within the given organization only on working days, between 9 AM and 1 PM
- if part-time staff is represented by a role, then the above requirement entails that this role should be enabled only during the aforementioned temporal intervals
- similar requirements can be supported by specifying—for each role—the time periods in which they can be activated
Role dependencies
Example:
- the doctor-on-night-duty role is enabled during the night
- since doctors may need the assistance of a nurse, one should make sure that the corresponding role—say, nurse-on-night-duty—is enabled whenever doctor-on-night-duty is
TRBAC model
Periodic expression - denotes an infinite set of periodic time instants
Examples:
- all * Years + {3, 7} Months -> 2 = intervals that start at the 3rd and 7th months of the year and that have a length of 2 months
- night-time, day-time
- Mondays
- third hour of the first day of each month
Prios - totally ordered set of priorities
- has at least two distinct members (HIGHEST and LOWEST)
Event expression - "enable R" or "disable R", R is a role
Prioritized expression - p:E, p = priority and E = event expression
Role status expression - "enabled R" or "not_enabled R" (says if R is enabled or not)
Conflicting events - "enable R" and "disable R" are conflicting events
- conf(enable R) = disable R and vice versa
Role enabling base - basic logic of TRBAC; is composed of
- periodic events (I, P, p:E) - [1/1/2000, infinity], nighttime, VH: enable doctor-on-night-duty
- role triggers E1, ..., En, C1, ..., Cn -> p:E after delta_t (after delta_t is for delay; optional)
- enable doctor-on-night-duty -> H: enable-nurse-on-night duty
Run-time expression - used by Security Officer to enable and disable roles dynamically
- p:E after delta_t
Request-stream - sequence of run-time expressions requested by the SO
- RQ =
Blocked-event - events are blocked according to the denial-takes-precedence principle
Nonblocked(S) - set of nonblocked events
System trace
- EV - the tth element of EV, denoted by EV(t), is the set of events that occur at time t
- ST - the tth element of ST, denoted by ST(t), is the enabled roles at time t
Caused events at time t
- all events scheduled via a periodic event or an explicit request are caused
- all events scheduled by a trigger are caused, provided that
- the role status expressions in the body are satisfied
- the event expressions in the trigger are caused before time t, even with delay
- such events must not be blocked by any concurrent event
Execution model - EV with all caused events
Individual exceptions - "disable R for U" or "enable R for U", U is a username or a variable ranging over usernames
No comments:
Post a Comment