On the management of user obligations

Murillo Pontual, Omar Chowdhury, William H. Winsborough, Ting Yu, Keith Irwin

Research output: Chapter in Book/Report/Conference proceedingConference contribution

11 Citations (Scopus)

Abstract

This paper is part of a project investigating authorization systems that assign obligations to users. We are particularly interested in obligations that require authorization to be performed and that, when performed, may modify the authorization state. In this context, a user may incur an obligation she is unauthorized to perform. Prior work has introduced a property of the authorization system state that ensures users will be authorized to fulfill their obligations. We call this property accountability because users that fail to perform authorized obligations are accountable for their non-performance. While a reference monitor can mitigate violations of accountability, it cannot prevent them entirely. This paper presents techniques to be used by obligation system managers to restore accountability. We introduce several notions of dependence among pending obligations that must be considered in this process. We also introduce a novel notion we call obligation pool slicing, owing to its similarity to program slicing. An obligation pool slice identifies a set of obligations that the administrator may need to consider when applying strategies proposed here for restoring accountability. The paper also presents the system architecture of an authorization system that incorporates obligations that can require and affect authorizations.

Original languageEnglish
Title of host publicationProceedings of ACM Symposium on Access Control Models and Technologies, SACMAT
Pages175-184
Number of pages10
DOIs
Publication statusPublished - 15 Jul 2011
Externally publishedYes
Event16th ACM Symposium on Access Control Models and Technologies, SACMAT 2011 - Innsbruck, Austria
Duration: 15 Jun 201117 Jun 2011

Other

Other16th ACM Symposium on Access Control Models and Technologies, SACMAT 2011
CountryAustria
CityInnsbruck
Period15/6/1117/6/11

Fingerprint

Managers

Keywords

  • Accountability
  • Authorization
  • Obligations
  • Policy
  • RBAC

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality
  • Information Systems

Cite this

Pontual, M., Chowdhury, O., Winsborough, W. H., Yu, T., & Irwin, K. (2011). On the management of user obligations. In Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT (pp. 175-184) https://doi.org/10.1145/1998441.1998473

On the management of user obligations. / Pontual, Murillo; Chowdhury, Omar; Winsborough, William H.; Yu, Ting; Irwin, Keith.

Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT. 2011. p. 175-184.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Pontual, M, Chowdhury, O, Winsborough, WH, Yu, T & Irwin, K 2011, On the management of user obligations. in Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT. pp. 175-184, 16th ACM Symposium on Access Control Models and Technologies, SACMAT 2011, Innsbruck, Austria, 15/6/11. https://doi.org/10.1145/1998441.1998473
Pontual M, Chowdhury O, Winsborough WH, Yu T, Irwin K. On the management of user obligations. In Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT. 2011. p. 175-184 https://doi.org/10.1145/1998441.1998473
Pontual, Murillo ; Chowdhury, Omar ; Winsborough, William H. ; Yu, Ting ; Irwin, Keith. / On the management of user obligations. Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT. 2011. pp. 175-184
@inproceedings{af73de42c06a4ba1bfcd3cc17da3fb89,
title = "On the management of user obligations",
abstract = "This paper is part of a project investigating authorization systems that assign obligations to users. We are particularly interested in obligations that require authorization to be performed and that, when performed, may modify the authorization state. In this context, a user may incur an obligation she is unauthorized to perform. Prior work has introduced a property of the authorization system state that ensures users will be authorized to fulfill their obligations. We call this property accountability because users that fail to perform authorized obligations are accountable for their non-performance. While a reference monitor can mitigate violations of accountability, it cannot prevent them entirely. This paper presents techniques to be used by obligation system managers to restore accountability. We introduce several notions of dependence among pending obligations that must be considered in this process. We also introduce a novel notion we call obligation pool slicing, owing to its similarity to program slicing. An obligation pool slice identifies a set of obligations that the administrator may need to consider when applying strategies proposed here for restoring accountability. The paper also presents the system architecture of an authorization system that incorporates obligations that can require and affect authorizations.",
keywords = "Accountability, Authorization, Obligations, Policy, RBAC",
author = "Murillo Pontual and Omar Chowdhury and Winsborough, {William H.} and Ting Yu and Keith Irwin",
year = "2011",
month = "7",
day = "15",
doi = "10.1145/1998441.1998473",
language = "English",
isbn = "9781450307215",
pages = "175--184",
booktitle = "Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT",

}

TY - GEN

T1 - On the management of user obligations

AU - Pontual, Murillo

AU - Chowdhury, Omar

AU - Winsborough, William H.

AU - Yu, Ting

AU - Irwin, Keith

PY - 2011/7/15

Y1 - 2011/7/15

N2 - This paper is part of a project investigating authorization systems that assign obligations to users. We are particularly interested in obligations that require authorization to be performed and that, when performed, may modify the authorization state. In this context, a user may incur an obligation she is unauthorized to perform. Prior work has introduced a property of the authorization system state that ensures users will be authorized to fulfill their obligations. We call this property accountability because users that fail to perform authorized obligations are accountable for their non-performance. While a reference monitor can mitigate violations of accountability, it cannot prevent them entirely. This paper presents techniques to be used by obligation system managers to restore accountability. We introduce several notions of dependence among pending obligations that must be considered in this process. We also introduce a novel notion we call obligation pool slicing, owing to its similarity to program slicing. An obligation pool slice identifies a set of obligations that the administrator may need to consider when applying strategies proposed here for restoring accountability. The paper also presents the system architecture of an authorization system that incorporates obligations that can require and affect authorizations.

AB - This paper is part of a project investigating authorization systems that assign obligations to users. We are particularly interested in obligations that require authorization to be performed and that, when performed, may modify the authorization state. In this context, a user may incur an obligation she is unauthorized to perform. Prior work has introduced a property of the authorization system state that ensures users will be authorized to fulfill their obligations. We call this property accountability because users that fail to perform authorized obligations are accountable for their non-performance. While a reference monitor can mitigate violations of accountability, it cannot prevent them entirely. This paper presents techniques to be used by obligation system managers to restore accountability. We introduce several notions of dependence among pending obligations that must be considered in this process. We also introduce a novel notion we call obligation pool slicing, owing to its similarity to program slicing. An obligation pool slice identifies a set of obligations that the administrator may need to consider when applying strategies proposed here for restoring accountability. The paper also presents the system architecture of an authorization system that incorporates obligations that can require and affect authorizations.

KW - Accountability

KW - Authorization

KW - Obligations

KW - Policy

KW - RBAC

UR - http://www.scopus.com/inward/record.url?scp=79960179819&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=79960179819&partnerID=8YFLogxK

U2 - 10.1145/1998441.1998473

DO - 10.1145/1998441.1998473

M3 - Conference contribution

SN - 9781450307215

SP - 175

EP - 184

BT - Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT

ER -