1 Temporal Location-Aware Access Control Model Based on Composite Events Presented by Yu, Lijun

2 Outline Motivation Background The TL-RBAC model Composite event model Conditions Actions Conclusion and future work

3 Motivation Manager John agrees with the employee Bob that he can track Bob’s location only during office hours and when Bob is in office, i.e. 9AM – 5PM, M-F Bob paid twenty dollars per month for roadside assistant service so that he can use that service for up to thirty hours per week Solution: A combined temporal and location based RBAC model

4 Background PA Session_rolesUser_sessions USERSROLES SESSIONS PRMS OPS OBS RH UA

5 Temporal RBAC model Temporal constraints User assignment Permission assignment Role activation Role enabling RBAC Constraints Temporal constraints can be Duration constraints Periodic constraints

6 Temporal RBAC model Role Status Expressions Role Triggers Run-time requests Execution model

7 Location-based access control model Location is modeled as a set of points Location constraints on User assignment Permission assignment Role activation Permission (object location) Users have dynamic access control at different user location and object location

8 The TL-RBAC model Composite event model Conditions Actions

9 Composite event model Based on the Snoop event specification language for active databases Extension Primitive RBAC events Primitive location-based events Duration composite constructs

10 Composite event model Primitive events Primitive RBAC events Primitive location-based events Temporal Composite events Periodic / APeriodic Disjunction / Conjunction Sequence Duration

11 TL-RBAC system state The TL-RBAC system state is a tuple S = where ER  Roles is a set of enabled roles, UA: Users   (Roles) is a function to get the set of roles assigned to the user UT: Users   (Roles) is a function to get the set of roles activated by the user PA: Roles  (Permissions) is a function to get the assigned set of permission of a role RS = Time  Priority  Expressions is the set of role enabling expressions, where Expressions can be one of the following formats: assign r to u, that is assign role r to user u de-assign r to u, that is de-assign role r from user u assign p to r, that is assign permission p to role r de-assign p to r, that is de-assign permission p from role r enable r, that is enable role r disable r, that is disable role r activate r for u, that is activate role r by user u deactivate r for u, that is deactivate role r by user u

12 TL-RBAC predicates TL-RBAC predicates are boolean expressions comprised of role status predicates and location-based predicates where Role status predicates can be: r  er indicates whether role r is enabled in set er  ER r  ua(u) indicates whether role r is assigned to user u in function ua  UA r  ut(u) indicates whether role r is activated by user u in function ut  UT p  pa(r) indicates whether permission p is assigned to role r by function pa  PA Location-based predicates can be: location(u)  loc location(obj)  loc loc1 = loc2

13 TL-RBAC Action and Action Semantics The TL-RBAC action is defined as Actions  Priority  Expressions, where Actions = {Add, Remove, Execute} The semantics of each TL-RBAC action is modeled as transition of TL-RBAC system state, that is S(ER, UA, UT, PA, RS)  S’(ER’, UA’, UT’, PA’, RS’) where S is the TL-RBAC system state before the action and S’ is the state after the action.

14 Runtime Request Event: [Now] + [  t] Condition: TL-RBAC predicates Actions: TL-RBAC-Action(t, ) where t is the time that the event occurs, p  Priority and e  Expressions

15 Role Trigger Event: Any(n, E1, E2, …, En) + [  t] Condition: TL-RBAC predicates Actions: TL-RBAC-Action(t, ) where t is the time that the event occurs, p  Priority and e  Expressions

16 Periodic TL-RBAC Constraints Monday = P([09:00:00)04/04/2005], [7days], [*/*/*])) Friday = P([09:00:00)04/08/2005], [7days], [*/*/*])) Ebegin = Any(1, Monday, Friday) Eend = Ebgin + [8 hours] Event: Ebegin Condition: true Actions: TL-RBAC-Action(t, ) where t is the time that the event occurs Event: Eend Condition: true Actions: TL-RBAC-Action(t, ) where t is the time that the role enabling expression is added

17 Duration TL-RBAC Constraints E1 = D*(activate player for John, [30 minutes], deactivate play for John) Event: A([(09:00:00)*/*/*], E1, [(17:00:00)*/*/*]) Condition: true Actions: TL-RBAC-Action(t, ) where t is the time that the event occurs

18 Location-based TL-RBAC Constraints Event: User Location Changing or Object Location Changing Condition: TL-RBAC predicates Actions: TL-RBAC-Action(t, ) where t is the time that the event occurs, a  Actions, p  Priority and e  Expressions

19 Related work Snoop model independent event specification language for active databases S. Chakravarthy and D. Mishra [3] The temporal RBAC model (TRBAC) and GTRBAC model Elisa Bertino James Joshi et al. The LRBAC model

20 Conclusion and future work Duration Event detection Temporal Role hierarchy Temporal cardinality constraints

21 Questions