Relation Based Access Control (RelBAC ) is an access control model designed for the new scenarios of access control on Web 2.0. Under this model, we discuss in this paper how to formalize with Description Logics the typical authorization problems of access control together with the enforcement of an important security property: Separation of Duties (SoD) and some high level security policies about the composition of those subjects on which to separate the duties.
Access control is an important branch of computer security. Nowadays, access
control models become more and more complex in order to represent the
dynamics of the subject, i.e., the new scenario where objects and permissions of access
control are located on the web. Early access control models, such as Mandatory
Access Control and Discretionary Access Control, have evolved to more
complex models such as Role-Based Access Control (RBAC) [
In this paper, we discuss how to formalize the typical authorization
problems in the RelBAC model with a speci c Description Logic (DL), i.e., the DL
ALCQIBO [
with an access control domain speci c Description Logic in order to provide formal syntax and semantics plus an automated reasoning mechanism to facilitate the access control management.
The contributions of this paper are as follows: { Focusing on authorization problem of RelBAC , we discuss the usage of DL to formalize access control policies. { Di erent formalizations of Separation of Duties (SoD ) are analyzed as an important security property. { Dynamic SoD and high-level security policies about SoD are also formally represented and discussed.
The rest of the paper is organized as follows. Section 2 describes the DL exploited to capture the access control problems. Section 3 discusses the expressiveness of the proposed DL to faithfully capture the RelBAC application domain. In Section 4 we discuss the logical formalization of a security property, i.e., Separation of Duties. The related work is summarized in Section 5 and we make our concluding remarks in Section 6. 2
The Description Logic ALCQI BO
The logic ALCQIBO extends the description logic ALC [
De nition 1 (ALCQIBO Syntax). Let NC, NR and NI be pairwise disjoint and countably in nite sets of concept names, role names and individual names. Then concept expressions and role expressions are de ned as follows: C; D ::= A j :C j C u D j R; S ::= P j R j :R j R u S n R:C j faig where A 2 NC, P 2 NR, ai 2 NI and n 2 N.
A Knowledge Base (KB) is a pair K = hT ; Ai where T , called TBox, is a nite set of general concept inclusions (GCIs) of the form C v D and a nite set of general role inclusions (GRIs) of the form R v S, while A, called ABox, is a nite set of concept and role assertions of the form C(ai) and R(ai; aj ), with ai; aj 2 NI.
An ALCQIBO-interpretation, I, is a pair ( ; I ) where is a non-empty set called the domain of I and I is a function mapping each A 2 NC to a subset AI and each P 2 NR to a relation P I . Furthermore, I applies also to individuals by mapping each individual name ai 2 NI into an element aiI 2 such that aiI 6= ajI , for all i 6= j, i.e., we adopt the so called unique name assumption (UNA). We extend the mapping I to complex roles and concepts as follows: (R )I := f(y; x) 2 (:R)I :=
j (x; y) 2 RI g; n RI ; (:C)I :=
n CI ; (R u S)I := RI \ SI ; (C u D)I := CI \ DI ; (> n R:C)I := fx 2 j ]fy 2 j (x; y) 2 RI and y 2 CI g ng; faigI := faiI g: An ALCQIBO-interpretation I = ( ; I ) is said a model of a KB, K, i it satis es CI DI , for all C v D 2 K, RI SI , for all R v S 2 K, aiI 2 CI , for all C(ai) 2 A, and (aiI ; ajI ) 2 RI , for all R(ai; aj ) 2 A. In this case we say that K is satis able and write I j= K. A concept C (role R) is satis able w.r.t. K if there exists a model I of K such that CI 6= ; (RI 6= ;).
As usual, we can de ne a number of useful abbreviations:
C t D for :(:C u :D) (6 n R:C) for :(> n + 1 R:C) (= n R:C) for :(> n + 1 R:C) u (> n R:C) 9R:C for (> 1 R:C) 8R:C for (6 0 R::C) > for A t :A (for some concept A) ? for :>
U for R t :R (for some role R)
Note that, TBox axioms can be internalized. Indeed, we can encode each
axiom C v D as the concept expression 8U :(:C t D), while each role axiom
R v S can be encoded as the concept expression 8U :8(R u :S):?. (To encode
ABox assertions as concept expressions see [
Concerning the complexity of ALCQIBO, KB satis ability can be reduced
to reason over the two-variable rst-order fragment with counting quanti ers
which is NExpTime-complete [
Here we discuss the authorization problem, which deals with questions like `who is authorized to access what'. We distinguish two di erent phases: general authorizations on group of users and sets of resources, and ground authorizations onto individual users and/or resource instances. 3.1
In RelBAC , a generic permission P (e.g., Write) is modeled as a binary relation between a class of users U (e.g., SW-Developer) and a class of objects O (e.g., Java-Code). The following general constraints can be captured in ALCQIBO. 1. `The permission P applies only between users U and objects O'.
This is a form of domain and range constraint for the binary relation P and can be modeled in ALCQIBO with the following axioms:
Domain Restriction
Range Restriction 9P:> v U 9P :> v O 2. `Users in U can access just objects in O with P ' `Objects in O can be accessed just from users in U with P '.
We can represent these constraint using universal restrictions as: U v 8P:O Universal Restriction
O v 8P :U Universal Restriction 3. `Users in U are allowed to access (with P ) at most n objects in O' `At most n users in U are allowed to access any given object in O with P '. We can represent these constraints using cardinality constraints as: U v (6 n P:O) Cardinality Restriction
O v (6 n P :U ) Cardinality Restriction 4. `Users in U have access to at least m objects in O with P ' `At least m users in U have access to any object in O with P '.
We can represent these constraints using cardinality constraints as: U v (> m P:O) Cardinality Restriction
O v (> m P :U ) Cardinality Restriction 5. `All users in U have access to all objects in O with P ' `All objects in O are accessed by all users in U with P '.
This rule de nes a so called Total Access Control rule (TAC) and can be captured using the negation of roles constructor in cardinality restriction: U v 8:P::O O v 8:P ::U
TAC Rule
TAC Rule 3.2
Using the ABox mechanism of ALCQIBO we can assert particular facts associated to given individuals of the domain. The following is a list of the most common assignments concerning single individuals that can be captured in ALCQIBO (in the following u and o are individuals in NI, P is a role in NR, U and O are concepts in NC). 1. `The user u is allowed to access the object o with P '.
This is represented as: P (u; o).
For example, U pdate(david; mb903ll=a) says that `David is allowed to update the entry MB903LL/A'. 2. `The user u is allowed to access maximum n objects in O with P '.
This is represented as: (6 n P:O)(u).
For example, (6 5 U pdate:Digital)(David) says that `David is allowed to update maximum 5 entries of Digital'. 3. `The user u is allowed to access minimum n objects in O with P '.
This is represented as: (> n P:O)(u).
For example, (> 5 U pdate:Digital)(David) says that `David is allowed to update minimum 5 entries of Digital'. 4. `The user u is allowed to access all objects in O with P '.
This is represented as: (8:P::O)(u).
For example, (8:U pdate::Digital)(David) says that `David is allowed to update all entries in Digital'. 5. `Minimum n users in U are allowed to access the object o with P '.
This is represented as: (> nP :U )(o).
For example, (> 3 U pdate :Apple)(mb903ll=a) says that `At least 3 friends from Apple are allowed to update the entry MB903LL/A'. 6. `All users in U are allowed to access the object o with P '.
This is represented as: U v 9P:fog.
For example, Apple v 9U pdate:fmb903ll=ag says that `All friends from Apple are allowed to update the entry MB903LL/A'.
Besides the traditional access control rules which can specify only
`one-toone' and `one-to-many' mappings about individuals, we see that the ABox of
ALCQIBO provides many ways to write a ground access control rule in
RelBAC . Altogether, as is shown in Figure 1 (taken from [
So far we discussed the permission assignments at design time. When an access control request arrives at run time the access control should decide whether to accept or deny these requests according to the assignments done at design time. Since a RelBAC system is an ALCQIBO KB, while a request is captured by an ABox, then at run time the system decides to grant an access if by adding the ABox to the current KB the resulting KB is satis able. 4
Separation of Duties SoD is an important security property in modern access
control systems. It enforces that more than one person is required to complete
a task. In this section, we will discuss the general meaning of an SoD, its
enforcement at design and run time and the high-level security policy [
tive task consists of two steps, then two di erent users should perform mutually exclusive steps. More generally, when a sensitive task is composed of n steps, an SoD constraint requires the cooperation of at least k (for some k 6 n) di erent users to complete the task.
In one of the most well-known access control model, RBAC[
In RelBAC , a permission is a relation which links a subject with an object. To enforce this SoD in RelBAC , we can simply assert an axiom about the permissions. For example, suppose in a scenario of sales force automation3, to initiate, process, check and archive an order should not be completed by only one user. Suppose Initiate, Process, Check and Archive are four permissions with the same domain as users and co-domain as orders. The SoD above can be expressed in RelBAC as
Initiate u P rocess u Check u Archive v ? This policy restricts any pair (u; o) from belonging to all four sets Initiate, Process, Check and Archive.
In general, given n steps of a task step1; :::; stepn, the SoD requires at least k (k 6 n) users can ful ll all these n steps. Suppose any of the k users can ful ll 2 To be di erentiated from a DL role, the `role' in the RBAC model is a component simulating the real world enterprise organism. A user can only execute a permission assigned to the role that s/he can activate. 3 http://www.salesforce.com (k 1) m < n i:e: m 6 dn=(k 1)e 1 because k; m; n are all integers. This means intuitively that any user can be assigned to at most m of these duties as restricted in Formula 1. Thus, any m + 1 of these duties should not be assigned to one user. Then RelBAC can enforce the SoD with the following axiom: maximum m steps. In the worst case, everyone can ful ll equal number of steps, and satis es the following DL axiom: (1) (2) Cndn=(k 1)e dn=(k 1)e
G ( l i=1 j=1
Pij ) v ? in which Pij stands for one of the m permissions for each step, and Cnk is the binomial coe cient of `n choose k'.
Following the example above, given the 4 duties in the SFA scenario, an SoD requires that at least 3 users should be involved. This SoD can be enforced as follows.
(Initiate u P rocess) t (Check u Initiate) t (P rocess u Archive)t (P rocess u Check) t (Archive u Initiate) t (Check u Archive) v ? as Cndn=(k 1)e = Cd4=2e = C42 = 6.
4
An SoD can be enforced both at design and at run time. Up to now, we have discussed the SoD designed by the administrator o -line. An SoD enforced at run time intuitively means that the duties to be separated can be assigned to one user during design, but cannot be executed by her simultaneously.
RBAC ful lls it with the concept of session as representatives of the user at run time by restricting sessions from activation of separated roles. To enforce an SoD at run time, the concept of `session' has been introduced in the RBAC model. At run time, a user activates sessions to execute permissions. The duties assigned to the user at design time and restricted to be executed simultaneously are separated by enforcing that no session can execute them at the same time.
In RelBAC , we do not need the concept of `session', but use a run time permission to describe the state of a permission in execution to enforce SoD at run time.
execution of a permission. We assume that the name of a RTP is formed by alternating the verb (phrase) denoting the permission into the present participle of the verb (phrase). A user cannot be assigned to a RTP unless she has the permission for the original permission.
For each RelBAC permission, a RTP is introduced. For example, assume that Initiating is the RTP for the permission Initiate. As said above, a user cannot execute the permission Initiating without having the permission Initiate. Now, the SoD `a user cannot initiate and process an order at the same time ' is enforced as follows (we assume that both permissions have the same range, Order):
Initiating u P rocessing v ? In the real world, a user can be granted the permission to initiate an order (as a customer) and to process an order (as a sales agent), but cannot perform the two permissions (duties) simultaneously in order to avoid the process of one's own order.
Although an SoD can be enforced at design and run time with similar role axioms in RelBAC , the mechanisms regulating it are di erent. To enforce an SoD at run time, the monitoring mechanism should inform the access control system in real time, so that the current state such as Alice is initiating an order `Bolzano' should be recognized. Then the knowledge base should be updated with the new assertion Initiating(alice; bolzano). Therefore, the above SoD (ruling out the possibility of initiating and processing an order at the same time) in the KB K entails the following:
K t fInitiating(alice; bolzano)g j= :P rocessing(alice; bolzano) although Alice might have permissions to both initiate and process some order. For the general SoD property, the composition of the k users to complete the task is sometimes important. The administrator may like to constraint rst that these users are from certain groups, cardinality related constraints are also necessary for the composition.
N.Li et al. studied SoD in detailed requirements for speci c attributes of the
users in addition to numbers of each kind of users. An algebra was proposed in
[
Case 1 means that a customer should be involved to initiate the order and a manager should be involved to check the order, for the other users, the administrator does not care who processes and archives the order. Case 2 speci es that only customer and manager can be involved which means the same manager (or some other manager) will take charge of the duties to process and to archive. Case 3 is the most strict by allowing only one customer and one manager to be involved.
RelBAC can achieve this kind of constraints with object-centric rules with the cardinality restriction constructor. For example, as for the cases above, the three constraints for the set of users can be formalized as follows.
Order v (> 1 Initiate :Customer) u (> 1 Check :M anager) Order v 8Involve:(Customer t M anager) u
(> 1 Initiate :Customer) u (> 1 Check :M anager) Order v (= 2 Involve:(Customer t M anager)) u (= 1 Initiate :Customer) u (= 1 Check :M anager) u :9 Involve:(Customer u M anager) Where Involve is a permission more general than any of the 4 permissions for the 4 duties in the above schema, i.e.
Initiate t P rocess t Check t Archive v Involve
This kind of high-level security policy complements the general SoD policy as discussed in Section 4.1 because it has the full power to describe the composition of the set of subjects including the exact cardinality. 5
Description Logics [
F.Giunchiglia et al. introduced in [
In [
Another formalization of RBAC in DLs was proposed by J.Chae et al. [
These DL roles are supposed to connect users to RBAC roles or object to object classes. We explicitly use an ABox mechanism to better deal with individuals.
However, their work is relevant for our approach since: { They inspired us in the way they formalized operation, i.e., by introducing a binary relation from a subject to an object. { They extended RBAC with the object hierarchy similar to the user hierarchy which facilitates the permission propagation.
Recently, T.Finin et al. proposed to use OWL4 language as the formalization
of the RBAC model in [
Another important work is related with the formalization of SoD. N.Li et al.
studied SoD in [
k 1 8u1:::uk 1 2 U (( [ auth perms [ui]) 6 fp1:::png) i=1 (3) with universal quanti er on arbitrary k 1 users in space of U . Formula 3 speci es that the collection of all the permissions explicitly/implicitly assigned to this k 1 users should not be a superset of all the n steps of duties. Their solution has the complexity of (jU jk 1 n) which explodes to the cardinality of the subject space. In RelBAC , as shown in Formulas 2, our solution enforces a su cient but not necessary condition of the SoD because the `ceiling' operator (d e) is an approximation of the exact value for n=(k 1). For example, in the schema above, the representation are the same for k = 3 and k = 4. However the
computational complexity is only (nn=k). Considering that the number of steps
which is n, is far less than the number of users in the system, which is jU j, our
method is more e cient than [
An existing industry standard is XACML [
In this paper, we discussed a domain speci c Description Logic, i.e. ALCQIBO for access control, in which the reasoning is NExpTime-complete. Exploiting ALCQIBO to formalize the RelBAC model, we have been able to formalize the typical authorization problem of access control. Besides, we studied the formalization of an important security property which is the Separation of Duties (SoD ). Furthermore, di erent aspects of SoD can be formalized in ALCQIBO such as dynamic SoD and high level security policy of SoD.
A basic version of RelBAC has been implemented as described in [