Ensuring authorization privileges for cascading user obligations

Omar Chowdhury, Murillo Pontual, William H. Winsborough, Ting Yu, Keith Irwin, Jianwei Niu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)

Abstract

User obligations are actions that the human users are required to perform in some future time. These are common in many practical access control and privacy and can depend on and affect the authorization state. Consequently, a user can incur an obligation that she is not authorized to perform which may hamper the usability of a system. To mitigate this problem, previous work introduced a property of the authorization state, accountability, which requires that all the obligatory actions to be authorized when they are attempted. Although, existing work provides a specific and tractable decision procedure for a variation of the accountability property, it makes a simplified assumption that no cascading obligations may happen, i.e., obligatory actions cannot further incur obligations. This is a strong assumption which reduces the expressive power of past models, and thus cannot support many obligation scenarios in practical security and privacy policies. In this work, we precisely specify the strong accountability property in the presence of cascading obligations and prove that deciding it is NP-hard. We provide for several special yet practical cases of cascading obligations (i.e., repetitive, finite cascading, etc.) a tractable decision procedure for accountability. Our experimental results illustrate that supporting such special cases is feasible in practice.

Original languageEnglish
Title of host publicationProceedings of ACM Symposium on Access Control Models and Technologies, SACMAT
Pages33-43
Number of pages11
DOIs
Publication statusPublished - 25 Jul 2012
Externally publishedYes
Event17th ACM Symposium on Access Control Models and Technologies, SACMAT'12 - Newark, NJ, United States
Duration: 20 Jun 201222 Jun 2012

Other

Other17th ACM Symposium on Access Control Models and Technologies, SACMAT'12
CountryUnited States
CityNewark, NJ
Period20/6/1222/6/12

Fingerprint

Access control

Keywords

  • Accountability
  • Authorization
  • Cascading obligations
  • Obligations
  • RBAC

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality
  • Information Systems

Cite this

Chowdhury, O., Pontual, M., Winsborough, W. H., Yu, T., Irwin, K., & Niu, J. (2012). Ensuring authorization privileges for cascading user obligations. In Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT (pp. 33-43) https://doi.org/10.1145/2295136.2295144

Ensuring authorization privileges for cascading user obligations. / Chowdhury, Omar; Pontual, Murillo; Winsborough, William H.; Yu, Ting; Irwin, Keith; Niu, Jianwei.

Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT. 2012. p. 33-43.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Chowdhury, O, Pontual, M, Winsborough, WH, Yu, T, Irwin, K & Niu, J 2012, Ensuring authorization privileges for cascading user obligations. in Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT. pp. 33-43, 17th ACM Symposium on Access Control Models and Technologies, SACMAT'12, Newark, NJ, United States, 20/6/12. https://doi.org/10.1145/2295136.2295144
Chowdhury O, Pontual M, Winsborough WH, Yu T, Irwin K, Niu J. Ensuring authorization privileges for cascading user obligations. In Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT. 2012. p. 33-43 https://doi.org/10.1145/2295136.2295144
Chowdhury, Omar ; Pontual, Murillo ; Winsborough, William H. ; Yu, Ting ; Irwin, Keith ; Niu, Jianwei. / Ensuring authorization privileges for cascading user obligations. Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT. 2012. pp. 33-43
@inproceedings{33df3748c10143688c4d939351b7a8ee,
title = "Ensuring authorization privileges for cascading user obligations",
abstract = "User obligations are actions that the human users are required to perform in some future time. These are common in many practical access control and privacy and can depend on and affect the authorization state. Consequently, a user can incur an obligation that she is not authorized to perform which may hamper the usability of a system. To mitigate this problem, previous work introduced a property of the authorization state, accountability, which requires that all the obligatory actions to be authorized when they are attempted. Although, existing work provides a specific and tractable decision procedure for a variation of the accountability property, it makes a simplified assumption that no cascading obligations may happen, i.e., obligatory actions cannot further incur obligations. This is a strong assumption which reduces the expressive power of past models, and thus cannot support many obligation scenarios in practical security and privacy policies. In this work, we precisely specify the strong accountability property in the presence of cascading obligations and prove that deciding it is NP-hard. We provide for several special yet practical cases of cascading obligations (i.e., repetitive, finite cascading, etc.) a tractable decision procedure for accountability. Our experimental results illustrate that supporting such special cases is feasible in practice.",
keywords = "Accountability, Authorization, Cascading obligations, Obligations, RBAC",
author = "Omar Chowdhury and Murillo Pontual and Winsborough, {William H.} and Ting Yu and Keith Irwin and Jianwei Niu",
year = "2012",
month = "7",
day = "25",
doi = "10.1145/2295136.2295144",
language = "English",
isbn = "9781450312950",
pages = "33--43",
booktitle = "Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT",

}

TY - GEN

T1 - Ensuring authorization privileges for cascading user obligations

AU - Chowdhury, Omar

AU - Pontual, Murillo

AU - Winsborough, William H.

AU - Yu, Ting

AU - Irwin, Keith

AU - Niu, Jianwei

PY - 2012/7/25

Y1 - 2012/7/25

N2 - User obligations are actions that the human users are required to perform in some future time. These are common in many practical access control and privacy and can depend on and affect the authorization state. Consequently, a user can incur an obligation that she is not authorized to perform which may hamper the usability of a system. To mitigate this problem, previous work introduced a property of the authorization state, accountability, which requires that all the obligatory actions to be authorized when they are attempted. Although, existing work provides a specific and tractable decision procedure for a variation of the accountability property, it makes a simplified assumption that no cascading obligations may happen, i.e., obligatory actions cannot further incur obligations. This is a strong assumption which reduces the expressive power of past models, and thus cannot support many obligation scenarios in practical security and privacy policies. In this work, we precisely specify the strong accountability property in the presence of cascading obligations and prove that deciding it is NP-hard. We provide for several special yet practical cases of cascading obligations (i.e., repetitive, finite cascading, etc.) a tractable decision procedure for accountability. Our experimental results illustrate that supporting such special cases is feasible in practice.

AB - User obligations are actions that the human users are required to perform in some future time. These are common in many practical access control and privacy and can depend on and affect the authorization state. Consequently, a user can incur an obligation that she is not authorized to perform which may hamper the usability of a system. To mitigate this problem, previous work introduced a property of the authorization state, accountability, which requires that all the obligatory actions to be authorized when they are attempted. Although, existing work provides a specific and tractable decision procedure for a variation of the accountability property, it makes a simplified assumption that no cascading obligations may happen, i.e., obligatory actions cannot further incur obligations. This is a strong assumption which reduces the expressive power of past models, and thus cannot support many obligation scenarios in practical security and privacy policies. In this work, we precisely specify the strong accountability property in the presence of cascading obligations and prove that deciding it is NP-hard. We provide for several special yet practical cases of cascading obligations (i.e., repetitive, finite cascading, etc.) a tractable decision procedure for accountability. Our experimental results illustrate that supporting such special cases is feasible in practice.

KW - Accountability

KW - Authorization

KW - Cascading obligations

KW - Obligations

KW - RBAC

UR - http://www.scopus.com/inward/record.url?scp=84864037216&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84864037216&partnerID=8YFLogxK

U2 - 10.1145/2295136.2295144

DO - 10.1145/2295136.2295144

M3 - Conference contribution

SN - 9781450312950

SP - 33

EP - 43

BT - Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT

ER -