Delegatable Authorization Program and Its Application

University of Western Sydney School of Computing and Information Technology

Delegatable Authorization Program and Its Application Chun Ruan [email protected] May 2003

Technical Report No. CIT/20/2003

Delegatable Authorization Program and Its Application Chun Ruan and Vijay Varadharajan and Yan Zhang School of Computing and Information Technology University of Western Sydney Penrith South DC, NSW 1797 Australia E-mail: {chun,vijay,yan}@cit.uws.edu.au Abstract Data protection is a significant issue in any secure information systems. In this paper, we present a decentrailzed authorization delegation model in which users can be delegated, granted or forbidden some access rights. This security model is formulated as an extended logic program, and the detailed considerations of how to evaluate the semantics of the program is given. In particular, the conflicting problem is addressed and a resolution method based on the underlying delegation relations and hierachical structures of subjects, objects and access rights is presented. Finally, as an application, we show how this framework can support different electronic consent models within the context of health care. Key words: information security, authorization, access control, logic programming

1

Introduction

Data protection is a significant issue in any secure information systems. Proper access control models are needed to protect the information privacy and security. Discretionary access control model has long been a widely accepted and used model in the real world. One of key issues for discretionary access control is related to the authorization administration policy, which refers to the function of granting and revoking authorizations. Two major administration policies are centralized and decentralized administration. With centralized administration, only one central authorization unit may have the privilege to grant and revoke authorizations. It usually reflects the situation in enterprises and authorization remains easy to survey. But it is rather inflexible, since usually no individual can know what controls are appropriate for every object when the amount of objects is very large. With decentralized administration, on the other hand, multiple subjects may have the privilege to grant and revoke authorizations, and the administration privilege can usually be delegated between subjects. Decentralized authorization usually follows the ownership paradigm; i.e. every creator of an object possesses all possible access rights to access them, and can grant and delegate authorizations on this object to other subjects. It is rather flexible and apt to the particular requirements of individual subjects. Most commercial DBMSs adopt such decentralized authorization. Nevertheless, the authorizations become 2

more difficult to control since multiple subjects can grant and revoke authorizations, and the problem of cascading and cyclic authorization may arise. Further more, when both positive and negative authorizations are allowed in a decentralized authorization model, conflict problem becomes crucial since multiple administrators greatly increase the chance of conflict and cyclic authorizations may lead to unexpected situations. Currently most existing database systems do not support authorization delegations and negations at the same time. On the other hand, supporting inheritance of authorizations can often effectively simplify the specification and evaluation of authorizations, especially in some application domains where inheritance is an important feature, such as object-oriented databases. For example, a member of a group usually can inherit all the access rights granted to the group. If someone is granted to write a directory, it is often implied that he/she should be able to read the directory and all files in that directory. When authorization inheritance is under consideration, the problem of conflict becomes more complex since a lot of implicit conflicts among different types of authorizations may arise. This paper presents a framework which supports authorization delegations, authorization negations and authorization inheritance. A conflict resolution method based on the underlying delegation relation is proposed which gives higher priorities to the predecessors to achieve the controlled delegation. For conflicts whose grantors are not delegation-connected, the more specific-take-prcedence principle is used to support exception. To take advantage of strong expressive and reasoning power of logic programming, we will develop our framework based on extended logic programs [4], which supports both negation as failure and classical negation. The extended logic programs, which is formalised based on nonmonotonic reasoning semantics, has strong expressive power in the sense that it can deal directly with incomplete information in reasoning. Since the incomplete information is a common issue in the security world, many access control policies are easier to specify in extended logic programs. For example, if we want to express negation by default, like s is denied to read the file F if s is not granted to read it, the negation as failure (weak negation) is often the most direct way to express this intention. On the other hand, in many situations, classical negation (strong negation) is useful to explicitly specify that something is forbidden. In our framework, authorization rules are specified in a delegatable authorization program (DAP) which is an extended logic program associated with different types of partial orderings on the domain, and these orderings specify various inheritance relationships among subjects, objects and access rights in the domain. The semantics of a DAP is defined based on the stable model concept and the conflict resolution is achieved in the process of model generation of the DAP. As an application, we show how this framework can support different electronic consent models within the context of health care.

2

Syntax of DAP

Our language L is a many-sorted first order language, with four disjoint sortsS, O, A, and T for subject, object, access right and authorization type respectively. Variables are denoted by strings starting with underscore, and constants by ordinary strings. Three 3

partial orders