Temporal Authorization Bases:
from Specication to Integration
E. Bertino1, P.A. Bonatti1, E. Ferrari1, M.L. Sapino2
1
Computer Science Department
University of Milano
Computer Science Department
University of Torino
e-mail: [email protected]
2
e-mail: fbertino,[email protected]
[email protected]
Abstract
In this paper we present a powerful authorization mechanism which provides support for:
(1) periodic authorizations (both positive and negative), that is, authorizations that hold only
in specic periods of time (2) user-dened deductive temporal rules, by which new authorizations can be derived from those explicitly specied (3) a hierarchical organization of subjects
and objects, supporting a more adequate representation of their semantics. From the authorizations explicitly specied, additional authorizations are automatically derived by the system
based on those hierarchies. The resulting model is therefore very exible in terms of the kinds
of protection requirements that it can represent. The exibility provided to the users requires a
non trivial underlying formal model where temporal constraints, derivation rules and object and
subject hierarchies can be represented. In particular, when inheritance and derivation rules are
used simultaneously, there is need for conditions ensuring that the authorization base is free from
ambiguities. In this paper, we introduce a notion of safeness , and prove that it guarantees the
absence of ambiguities and inconsistencies in the specication. Moreover, we dene an ecient algorithm for computing authorizations from safe specications. Finally, we provide a methodology
for supporting temporal authorizations in heterogeneous, distributed systems.
1
1 Introduction
Authorization mechanisms, such as the ones supported by commercial DBMSs, are based on a very
simple paradigm: when a subject must be allowed for an operation on an object an authorization is
granted to him/her. The subject is then allowed for the access until the authorization is explicitly
removed. This paradigm, although being very simple and easy to implement, is not suitable for several
application domains characterized by more complex security requirements. A promising research
direction is therefore the development of authorization mechanisms which extend the expressive
power of those provided as part of commercial DBMSs or research prototypes.
An important requirement, common to many applications, is related to the temporal dimension
of access permissions. In many application domains, permissions hold only for specic time periods
and, moreover, authorizations must be tailored to the pattern of subjects' activities. As an example,
consider part-time sta that should be authorized for accesses only on working days between 9 a.m.
and 1 p.m. Periodic authorizations are also crucial for optimizing resource usage. In particular,
authorizations for the execution of resource-expensive application programs could be restricted to
specic time periods in which other programs are not likely to be executed.
Another crucial requirement is the possibility of expressing the relationships that usually exist
among dierent authorization subjects and among dierent objects. In most application domains,
subjects and objects are hierarchically organized. The semantics of these hierarchies depends on the
considered domain. For instance, the object hierarchy usually denes the composition of an object
in terms of other objects (for instance, a directory immediately precedes in the hierarchy the les it
contains), whereas the subject hierarchy usually reects the relative position of subjects within the
organization (for instance, a manager is at higher level in the hierarchy than an employee).
In this paper, we present an authorization model that provides integrated support for all the
aforementioned features. In the model, periodic authorizations can be specied: positive authorizations, for granting a privilege negative authorizations, for explicitly denying a privilege. Subjects
and objects are organized into hierarchies, supporting a more adequate representation of their semantics. Authorizations automatically propagate along these hierarchies in that a subject may inherit
authorizations specied for more general subjects and objects, unless conicting authorizations are
explicitly provided. In this case, the most specic authorization is considered as prevailing. Such
inheritance rules are a means to concisely express many protection requirements. For instance, if
a user wishes to authorize all the employees to access the les of a given directory he/she can do
this by specifying only one authorization, having as subject the class \employee" and as object the
directory. Such an authorization automatically propagates to all the employees and all the les in the
directory. However, our model still allows the owner to retain complete control over his/her objects,
as the owner can always specify positive and negative exceptions to propagated authorizations, by
issuing authorizations at the lowest levels in the hierarchies. Thus, the resulting model provides a
high degree of exibility coupled with the possibility of enforcing stricter controls on crucial data
items.
Another relevant feature of our model is the possibility of specifying derivation rules expressing
temporal dependencies among authorizations. These rules allow the derivation of new authorizations
based on the presence or absence of other authorizations in specic periods of time. By using derivation rules, many protection requirements can be concisely and clearly specied for example, it is
possible to specify that two users, working on the same project, must receive the same authorizations
on certain types of objects, or that a user should receive the authorization to access an object in
certain periods only if nobody else is authorized to access the same object within the same periods.
Derivation rules are specied (i) by constraining the rule application with a temporal expression,
(ii) by providing the authorization to be derived, (iii) by specifying one of the three temporal dependency operators provided by the model, and, nally, (iv) by giving the body of the rule in the
2
form of a boolean expression of authorizations. The three temporal operators correspond to the
three main temporal relations between authorizations that we have identied in common protection
requirements.
The main technical contributions of this paper are the following:
1. The paper extends the periodic authorization model of 1] with hierarchies of subjects and
objects, and with authorization inheritance along those hierarchies. We adopt a standard form
of inheritance, where more specic authorizations override general ones, and where conicts
arising from multiple inheritance are solved according to the denial-take-precedence principle. This extension, despite its standard nature, requires sophisticated machinery for checking
consistency and non-ambiguity of the authorizations, and for materializing the specications.
2. The paper introduces a methodology for supporting temporal authorizations in heterogeneous distributed environments. It builds upon the method for integrating heterogeneous
subject/object hierarchies of 3] to achieve a complete integration methodology for entire authorization bases (specied according to the proposed model), tackling the diculties caused
by interference of derivation rules belonging to dierent authorization bases.
In the following we illustrate the above points in more details.
The periodic authorization model presented in 1] supports both periodic authorizations and
derivation rules. The introduction in such model of a hierarchical organization of subjects and
objects is a major extension, both for the practical relevance of subject and object hierarchies in
specifying authorizations and for the involved theoretical and performance issues. When inheritance
and authorization rules are used simultaneously, subtle ambiguities may arise, as illustrated by the
following example.
Example 1.1 Consider the following protection requirements: (R1 )If subject s has write permission
on object o, then s has also read permission on o (R2) if s does not have read permission on
object o, then s must not have write permission on o, either. These requirements can be easily
expressed through the derivation rules supported by our model. Assume also that s0 is the head of
the administration department, and that an authorization A1 stating that s0 can write all documents
of his/her department therefore exists. Now consider a classied administration document o0. The
security administrator tries to protect this document through a general authorization A2 stating that
no user can read o0. Unfortunately, the resulting security specication is ambiguous. In fact, there
are two mutually incompatible possibilities:
1. An authorization A01, stating that s0 can write o0, is inherited from A1, because o0 is an instance
of the class of documents of the administration department. By R1 , it follows that s0 can read
o0. Such inferred authorization blocks inheritance from A2 that is, it is not derived that s0
cannot read o0.
2. An authorization A02, stating that s0 cannot read o0 , is inherited from A2 , because s0 is an instance
of the class of all users. By R2, it follows that s0 cannot write o0 . This blocks inheritance from
A1 that is, A01 cannot be derived, and s0 cannot write o0 .
Clearly, it would be hard to detect such ambiguities in specications of realistic size, without the
help of some automated tool. This task is further complicated by the fact that authorizations can be
independently formulated by dierent users. Therefore, users are generally not aware of every single
authorization and rule in the system. The standard solution to this problem (adopted in 1]) consists
3
in requiring the rules to satisfy so-called stratiability conditions. Unfortunately, stratiability does
not solve the problem in Example 1.1, R1 and R2 can be encoded in a specication which is stratied,
according to 1]. Technically speaking, the problem is that inheritance introduces \hidden rules" that
make authorization bases always equivalent to non-stratied logic programs 9]. Such programs, in
general, may be ambiguous (in the above sense) or inconsistent. Moreover no general, ecient way
of computing their models is known (the problem is NP-hard). Thus, dealing simultaneously with
rules and inheritance requires the development of new techniques. In this paper, we introduce a
notion of safeness , and prove that it guarantees the absence of ambiguities and inconsistencies in
the specication. Moreover, we dene an ecient algorithm for computing authorizations from safe
specications, by dynamically rening a sort of stratication during the computation.
The enrichment of 1] with inheritance, the notion of safeness, the new materialization algorithm,
as well as all the related machinery, are all original contributions of this paper, not present in 1].
The extension to 1] proposed in the current paper is particularly important when dealing with
the interoperability of heterogeneous, distributed systems. In this framework, dierent local security
policies have to be represented and integrated at a global level, to guarantee interoperability and to
detect possible inconsistencies and security breaches 11]. Such global representation and integration
involves (among other issues) establishing mappings among dierent object types and subjects. Such
mappings, as when dealing with integration of heterogeneous data models, require the notion of hierarchy for both the object types and the subject types. In this paper, we also propose a methodology
and related mechanisms (based on the work presented in 3]) for integrating dierent authorization
bases, specied according to our temporal authorization model into one global authorization base,
and for testing the safety of the global authorization base.
Only the problem of merging heterogeneous hierarchies was tackled in 3]. We extend that work
by providing a complete integration methodology for combining entire authorization bases. For
instance, we tackle the ambiguities and inconsistencies resulting from interference of inference rules
belonging to dierent \local" authorization bases. For this purpose we shall introduce the notions
of critical constraints and rules, authorization base normalization, and specify their intended use.
The remainder of this paper is organized as follows. Section 2 describes the formalisms we use
to represent periodic time. Section 3 introduces the basic components of the authorization model,
whereas Section 4 gives their formal semantic, introduces the notion of safe authorization base and
gives a mechanism to check whether an authorization base satises this condition. Section 5 provides
an algorithm to eciently compute the set of authorizations derivable from a given authorization
base. Section 6 presents the methodology for supporting temporal authorizations in heterogeneous,
distributed systems. Section 7 surveys related work. Section 8 concludes the paper and outlines
future work. Finally, Appendix A reports the formal proofs of the main theoretical results contained
in the paper.
2 Periodic Expressions
A symbolic (user friendly) formalism to represent periodic time is provided. The formalism consists
of a pair hbegin,end], Pi where P is a periodic expression denoting an innite set of time intervals,
and begin,end] denotes the lower and upper bounds that are imposed on time intervals in P.
The formalism for periodic expressions is essentially the one proposed in 12], based on the notion
of calendars. A calendar is dened as a countable set of contiguous intervals,1 numbered by integers
called index of the intervals.
A subcalendar relationship can be established between calendars. Given two calendars C1 and
C2 , we say that C1 is a subcalendar of C2 , (written C1 v C2), if each interval of C2 is exactly
1
Two intervals are contiguous if they can be collapsed into a single one (e.g., 1 2] and 3 4]).
4
covered by a nite number of intervals of C1 . New calendars can be dynamically constructed from
the existing ones, by means of a function generate() (cfr. 1] for a formal denition), a reference time
instant , and a basic calendar (the tick of the system), denoted by ?. In the following, we postulate
the existence of a set of calendars containing at least Hours, Days, Weeks, Months, and Years, where
Hours is the calendar with nest granularity.
Calendars can be combined to represent more general sets of periodic intervals, not necessarily
contiguous, like, for instance, the set of Mondays or the set of The third hour of the rst day of each
month. Complex sets of periodic intervals, like the ones above, are represented by means of periodic
expressions, formally dened as follows.
Denition 2.1 1] Given calendars Cd C1 : : : Cn, a periodic expression is dened as P = Pni=1 Oi:Ci
r:Cd, where O1 = all, Oi 2 2IN fallg and Ci v Ci;1 for i = 2 : : : n, Cd v Cn, and r 2 IN.
The left-hand side of identies the set of starting points of the intervals, while the right-hand
side species the duration. For example, all:Y ears + f3 7g:Months 2:Months represents the set of
intervals starting at the third and seventh month of every year, and having a duration of 2 months. In
practice, Oi is omitted when its value is all, whereas it is represented by its unique element when it is
a singleton. r:Cd is omitted when it is equal to 1:Cn. The innite set of time intervals corresponding
to a periodic expression P is denoted by (P). Function () is formally dened as follows.
Denition 2.2 1] Let P = Pni=1 Oi:Ci r:Cd be a periodic expression, then (P) is a set of time
intervals whose common duration is r:Cd, and whose set S of starting points is computed as follows:
if n=1, S contains all the starting points of the intervals of calendar C1
if n > 1, and On = fn1 : : : nk g, then S contains the starting points of the
nth1 : : : nthk intervals
P
n
;1 Oi:Ci 1:Cn;1 ).
(all intervals if On = all) of calendar Cn included in each interval of ( i=1
Symbolic expressions for the bounds begin and end are needed. Such expressions identify a single
instant in the basic calendar, or the special value 1. While the results of this paper do not rely on
a particular choice for this formalism, for simplicity, we will denote the bounds begin and end by
date expressions of the form mm/dd/yyyy:hh, with the obvious intended meaning end can also be
1. The set of time instants denoted by hbegin,end], Pi is formally dened as follows.
Denition 2.3 Let t be a time instant. t 2 Sol(begin end] P) i 9I 2 (P) such that t 2 I and
tb t te , where tb , te are the instants denoted by begin and end, respectively.
3 The Hierarchical Temporal Authorization Model (HTAM)
In this section we illustrate the basic components of our hierarchical temporal authorization model
(HTAM for short). The description will mostly be informal (the formal denitions will be given in
Section 4).
In the following, S denotes the set of subjects, O is the set of objects, and M is the set of access
modes. The members of S are the identiers with which users connect to the system. We suppose
identiers may refer to single users (e.g., Ann or Bob) or roles (e.g., staff or manager). Subjects and
objects are structured into hierarchies. Figure 1 shows an example of subject and object hierarchies.
HTAM makes it possible to express periodic authorizations, that is, authorizations that hold in
specic time intervals specied by a periodic expression. Moreover, each authorization is labeled with
a time interval, that imposes lower and upper bounds to the potentially innite set of instants denoted
by the periodic expression. We refer to an authorization together with its time interval and periodic
5
documents
subjects
managers
staff
admin-staff
tech-staff
d1
Ann
John Bob
papers
admin
Cleo
.. .
.. .
dn
p1
pk
Dan
Figure 1: An example of subject and object hierarchies
expression as periodic authorization . Periodic authorizations can be positive or negative. Positive
authorizations represent permissions, whereas negative authorizations represent explicit denials to
exercise a privilege on a given object.
Formally, a periodic authorization has the following structure.
Denition 3.1 1] A periodic authorization is a triple (begin,end],period,auth), where begin
is a date expression, end is a date expression denoting either 1 or an instant greater than or equal
to the one denoted by begin, period is a periodic expression, auth is a tuple (s,o,m,pn,g), with
s g 2 S , o 2 O , m 2 M , and pn 2 f + ; g.
Triple (begin,end],P,(s,o,m,pn,g)) states that subject s is authorized (if pn = `+') or denied (if
pn = `;') for access mode m on object o by subject g for each instant in Sol(begin end] P). For example, the periodic authorization A1 = (1/1/1999,1],Mondays,2 (Matt,o1,read,+,Bob)), specied by Bob, states that Matt has the authorization to read o1 each Monday starting from 1/1/1999.
We assume that conicting periodic authorizations may be simultaneously specied. This is
a natural assumption both in discretionary frameworks (where dierent grantors may concurrently
grant authorizations on the same objects) and in federated databases (where independently developed
local security policies need to be merged to obtain secure interoperation). For example, suppose that
authorization A2 =(1/1/2000,1],Working-days,(Matt,o1,read,-,Tom)) is specied in addition
to authorization A1 . We then have for each Monday in the interval 1/1/2000,1] both a positive
and a negative authorization with the same subject, object and access mode. We solve this conict
according to the denials-take-precedence principle 10]. As a consequence, Matt will be allowed to
read o1 only for the Mondays in 1/1/1999,12/31/1999]. This mechanism is captured by the
notion of validity informally, a positive authorization (s o m + g) is valid at a given instant t, if no
conicting authorization (s o m ; g0) holds at the same instant. On the other hand, each derivable
negative authorization is valid (the notion of validity will be formalized in the next section).
Note that subject and object hierarchies impact the authorizations a subject possesses in that
a subject may inherit authorizations specied for more general subject and object classes, unless
specic conicting authorizations are explicitly provided.
Example 3.1 Consider the hierarchies illustrated in Figure 1. Intuitively, a periodic authorization
such as (1/1/1999,1],?,(staff,admin,read,+,Ann)) means that all the sta members can
read, starting from 1/1/1999, each administration document, unless explicitly stated otherwise . So
Here and in the following we use intuitive names for periodic expressions, assuming that they are dened with the
syntax shown in Section 2.
2
6
for instance, in the absence of further authorizations, (John,d3,read,+,Ann) and (Bob,d7,read,+,
Ann) hold starting from 1/1/1999. By contrast, in the presence of a periodic authorization such
as (1/1/2000,1],?,(Bob,d7,read,-,John)), Bob would be allowed to read document d7 only
during 1999 (more precisely, the authorization (Bob,d7,read,+,Ann) would not be inherited after
the end of 1999).
Of course, a positive authorization may block the inheritance of a negative authorization, as the
following example shows.
Example 3.2 Given the following authorizations:
(A1)(5/1/2000,1/31/2001],?,(Bob,p4,write,+,Cleo))
(A2) (1/1/2000,1],?,(Bob,papers,write,-,Dan))
inheritance of A2 is blocked during the interval of validity of authorization A1 . As a result, Bob can
write p4 in the period May 2000/January 2001, whereas he has an explicit denial to write p4 in the
period January/April 2000 and from February 2001 on.
In case of multiple inheritance, conicts are solved in a conservative fashion, according to the
denials-take-precedence principle.
Example 3.3 Consider subject Bob and document d6. Suppose that the following authorizations
are specied:
1],?,(staff,d6,write,-,Cleo))
(1/1/2000,1],?,(Bob,admin,write,+,Cleo))
(1/1/2000,
none of them is more specic than the other. In this case, the negative authorization is thus preferred,
and only (Bob,d6,write,-,Cleo) is inherited.
Besides explicit periodic authorizations and authorizations implied by the subject and object
hierarchies, HTAM supports user-dened derivation rules , as a further means to derive authorizations
from those explicitly given. Like periodic authorizations, derivation rules have a time interval and a
periodicity constraint, representing the set of instants at which the rule can be applied. Derivation
rules are formally dened as follows.
Denition 3.2 1] A derivation rule is a triple (begin,end], period, A op F ), where begin is
a date expression, end is either the constant 1 or a date expression denoting an instant greater than
or equal to the one denoted by begin, period is a periodic expression, A is an authorization, F is a
boolean expression of authorizations, and op is one of the operators: whenever , aslongas , upon .
The authorization A is called the head of the rule F is called body .
Denition 3.3 A hierarchical temporal authorization base (HTAB) is a set of periodic authorizations
and derivation rules.
The notion of validity, previously introduced for authorizations, naturally extends to boolean
combinations of authorizations. Given an expression F and an instant t, let F 0 be the formula
obtained from F by replacing each authorization valid at t with true and every other authorization
with false we say that F is valid at time t if F 0 evaluates to true.
7
(A1 ) (1999,5/20/2000], ?,(managers,documents,read,+,Sam))
(A2 ) (10/1/1999,1], Fridays,(admin-staff,admin,write,+,Sam))
(A3 ) (1999,2000],Working-days,(Cleo,p1,read,-,Sam))
(R1 ) (1999,2001], Working-days, (tech-staff,admin,read,+,Sam) aslongas
:(admin-staff,admin,write,+,Sam))
(R2 ) (2000,1], Mondays and Fridays, (tech-staff,papers,write,+,Sam) upon
:((managers,papers,read,+,Sam) _ (admin-staff,papers,read,+,Sam)))
(R3 ) (2000,2001], Thursday, (Cleo,d1,read,-,Sam) whenever (John,d2,read,+,Sam) ^
(Ann,d2,read,+,Sam))
Figure 2: An example of HTAB
Roughly speaking, rule (begin,end], P, A op F ) states that for each instant in Sol(begin end]
P), A can be derived provided that F is valid at the same instant, or in a certain set of past instants
(depending on op). The grantor of A should be the subject who species the rule.
The following is an intuitive account of the semantics of derivation rules. It will be assumed that
all authorizations are granted by the same subject therefore, the grantor will not be considered in
the discussion.
(begin,end], P, A whenever ).
We can derive A for each instant in (begin end] P) where is valid. For instance, rule R3
in Figure 2 states that Cleo has an explicit denial to read document d1 each Thursday, from
1/1/2000 to 12/31/2001, in which both user Ann and John can read document d2.
(begin,end],P, A aslongas ).
Authorization A can be derived at instant in (begin end] P) if is valid for each instant
in (begin end] P) from the rst one up to . This implies that the aslongas rule cannot be
used anymore to derive authorization A, starting from the rst instant
(begin end] P)
in which is not valid. For instance, rule R1 in Figure 2 states that tech-staff can read admin
each working day in 1/1/1999,12/31/2001] until the rst working day in which admin-staff
will be allowed to write admin.
F
Sol
F
Sol
F
t Sol
t
t 2 Sol
F
F
F
(begin,end],P, A upon ).
We can derive A for each instant in (begin end] P) such that there exists an instant 0
in (begin end] P), 0 , such that is valid at time 0 . For instance, rule R2 in Figure 2
states that tech-staff can write papers each Monday and Friday starting from the rst
greater than or equal 1/1/2000 in which both managers and admin-staff are not authorized
to read papers.
Sol
t t
t
Sol
F
t
t
Example 3.4 Consider the HTAB in Figure 2 and the subject and object hierarchies in Figure 1.
The following authorizations can be derived:
(tech-staff,admin,read,+,Sam) for each Working day in 1/1/1999,9/30/1999], from rule
R1 and authorization A2 . Note that 10/1/1999 is the rst Friday in (10/1/1999,
]).
(tech-staff,papers,write,+,Sam) for each Monday and Friday from 5/22/2000, from rule
R2 and authorization A1 . Note that authorization A1 implies an authorization for managers
1
8
to read
papers for each day in 1/1/1999,5/20/2000]. 5/22/2000 is
1/1/2000, ] in which neither managers nor staff can read papers.
1
the rst Monday in
(Cleo,d1,read,-,Sam) for each Thursday from 1/1/2000 to 5/20/2000 from rule R3 and
authorization A1. Note that A1 implies an authorization for Ann and John to read documents
for each day from 1/1/1999 to 5/20/2000 and these authorizations imply that Ann and John
can read document d2 for the same days.
The syntax of derivation rules is extended to allow the special symbol `' to be used in place of the
subject, object, or access mode components, with the meaning that any value in the corresponding
domain can be used. We refer to rules containing the symbol `' as parametric derivation rules.
Example 3.5 Consider the rule:
(R) (1999,2000], Working-days, (Cleo,*,read,+,Sam)
(John,*,read,+,Sam))
whenever
(Dan,*,*,+,Sam)
_
Rule R states that on every instant of any working day in the period 1999-2000, Cleo can read any
object o such that, in the same instant, either John can read o, or Dan has any privilege on o.
Each parametric rule is exploded by the system into a set of rules, one for each value (or combination of values) to which the wild character can be instantiated. The value substituted for an
authorization element e (i.e., subject, object, or access mode) must be the same for all the authorizations in the rule where e is `'. In general, the instantiation of the rule head is constrained by
the authorizations that the grantor of the rule can specify. For example, if subjects could specify
authorizations only on the objects they own, then the occurrences of `' in the object component of
rule heads should be instantiated with the object owned by the grantor.
4 Formal Semantics of HTABs
The hierarchies of subjects and objects are formalized by two partially ordered sets (S vS ) and
(O vO ) , respectively. For example, according to the hierarchies illustrated in Figure 1, we have
Ann vS managers , John vS staff , pi vO documents , and pi 6vO admin (1 i k).
Let A be the set of all the tuples (s,o,m,pn,g). Given an authorization A = (s o m pn g) we
use the notation s(A) o(A) m(A) pn(A) g (A) to denote the corresponding components of A. Let
A+ (resp. A;) denote the authorization obtained from A by replacing pn(A) with `+' (resp. `;').
For all A 2 A, A denotes the authorization complementary to A, that is, A+ = A; and A; = A+ .
The relation `=;g ' dened below is the equality over authorizations with the only possible exception
of the grantor eld the set Conicts (A) captures the set of authorizations conicting with A:
A =;g B s(A) = s(B) ^ o(A) = o(B) ^ m(A) = m(B) ^ pn(A) = pn(B) Conicts(A) = f B j B =;g A g :
Note that B 2 Conicts(A) () A 2 Conicts (B ) , and A =;g B ) Conicts(A) = Conicts (B ) .
A conicting pair consists of two authorizations A and B such that A 2 Conicts (B ) (equivalently,
B 2 Conicts(A)). The subject and object hierarchies induce the following natural partial ordering
vA over A:
9
A vA B s(A) vS s(B) ^ o(A) vO o(B) ^ m(A) = m(B) ^ pn(A) = pn(B) ^ g(A) = g(B) :
As usual, A <A B A vA B ^ A 6= B . Finally, dene the set:
ParentsvA (A)
= f B j A <A B and 6 9C : A <A C <A B g :
The subscripts of vA and ParentsvA will often be dropped to enhance readability.
Access control is based on the set of time-stamped authorizations that can be derived from the
given HTAB T . A time-stamped authorization is a pair (t A) where t is a non-negative integer (a
\tick" in the basic calendar) and A 2 A (the intuitive meaning is \A holds at time t").
Formalizing derivability involves delicate technicalities due to the presence of negation as failure .
Rules such as R = (t t] ? A whenever :B ; ) are triggered only if (t B ; ) is not derivable , and
(t A) can be inherited only if (t A) is not derivable . Consequently, authorizations cannot be derived
incrementally through a classical inductive denition for example, R can be applicable at a certain
stage of the derivation process, but as deduction goes on, (t B ; ) might become derivable, thereby
invalidating the conclusion of R.
To make the discussion clearer, consider the following example.
Example 4.1 Let T be the set containing the following derivation rules, that express that two write
permissions on the document di, at a time instant t, are mutually exclusive.
(R1) (t t] ? (Ann di write + Sam) whenever :(Bob di write + Sam))
(R2) (t t] ? (Bob di write + Sam) whenever :(Ann di write + Sam))
When the derivation process starts, no authorization at time t has been granted. All applicable
rules are red in parallel, thus R1 derives (Ann di write + Sam) and R2 derives (Bob di write + Sam).
The rst derived authorization invalidates the conclusion of R2 , while the second one invalidates the
conclusion of R1. This behaviour is due to the presence of mutual negative dependencies between
authorizations.
Fortunately, this problem has already been solved|at a semantic level|in logic programming,
through the stable model semantics 6] here we adopt the same idea.
Intuitively, the semantic denition of derivable authorizations models the following three steps:3
(i) First, the set of all derivable time-stamped authorizations, I , is guessed (ii) the consequences
of the given HTAB T are derived incrementally, by recursively applying all the applicable rules of
T and inheritance the applicability of inheritance and of rules with negative literals in the body|
like R1 |is checked using I to \guess the future", in the sense that we assume that a time-stamped
authorization (t B ) will never be derivable i it does not belong to I (iii) clearly, the initial guess
is correct i it coincides with what can be actually derived with the given rules, i.e., if I equals the
set of authorizations derived in step (ii).
Example 4.2 Referring to Example 4.1, we could guess, at time t, the set I = f(Ann di write +
Sam)g, and incrementally derive the consequences of T by applying (R1) and (R2). (Bob di write +
Sam)
does not belong to I , and (accordingly) we assume that it will not be derived in the future,
3
The ecient algorithms introduced in the next section apply only to safe HTABs and do not match the (inecient)
generate-and-test nature of the following steps.
10
thus only (R1) is applicable, and (Ann di write + Sam) is derived. Then, we check that the set of
derived facts coincides with the initial guess. Since this is true, we conclude that I is a stable model
of T .
Note that the stable model is not necessarily unique. We might choose the set I = f(Bob di write
+ Sam)g as the initial guess, and it is straightforward to verify that it is an alternative stable model
for the given set of rules. We shall see later how such ambiguities can be avoided, trough suitable
safeness conditions.
The formal denition corresponding to the steps described above is just a xpoint equation
I = "IT " ! , where I is the initial guess and "IT " ! is the set of authorizations obtained in step (ii).
In particular, "IT models a single application (in parallel) of all the applicable rules of T ,4 and the
operator " ! iterates "IT . Formally, we have the following recursive denition of ":
" " 0 = "()
" " i + 1S= "(" " i) " " ! = i0 " " i .
To formalize "IT in a compact way, we introduce a notion of validity relative to the initial guess
I . Recall from the previous section that conicting authorizations may be simultaneously derivable
from T in this case the denials-take-precedence principle is applied validity captures this idea, and
it can be extended to arbitrary boolean combinations of authorizations in negation normal form
(NNF).5 Intuitively, in the following, J stands for the set of authorizations that have been derived
at some intermediate step of the derivation (I is the initial guess).
Denition 4.1 Let I and J be sets of time-stamped authorizations, t be a time instant, A 2 A and
F Gi be boolean combinations of authorizations from A in NNF. The validity of F in J at time t
wrt I , in symbols J I j=t F , is recursively dened as follows:
1. J I j=t A+ if (t A+ ) 2 J and for all B ; 2 Conicts(A+ ) , (t B ; ) 62 I 2. J I j=t A; if (t A;) 2 J 3. J I j=t :A+ if (t A+ ) 62 I or there is B ; 2 Conicts(A+ ) s.t. (t B ; ) 2 J 4. J I j=t :A; if (t A; ) 62 I 5. J I j=t G1 ^ G2 if J I j=t G1 and J I j=t G2 6. J I j=t G1 _ G2 if J I j=t G1 or J I j=t G2 .
Now we can dene the immediate consequence operator "IT that applies in parallel all applicable
rules and performs all possible inheritance steps. In the following, J plays the role of the set of
authorizations which have already been derived, and "IT (J ) is the result of one more derivation step.
Denition 4.2
IT (J) = f (t A) j (T I P A) 2 T and t 2 Sol(TI P ) g
f (t A) j (T I P A whenever F) 2 T t 2 Sol(T I P ) J I j=t F g
f (t A) j (T I P A upon F ) 2 T t 2 Sol(TI P) and
9t0 2 Sol(TI P) such that t0 t J I j=t0 F g
f (t A) j (T I P A aslongas F) 2 T t 2 Sol(T I P ) and
for all t0 2 Sol(T I P) such that t0 t J I j=t0 F g
f (t A) j 9A1 2 Parents(A): J I j=t A1 and 8A2 2 Conicts(A): A2 62 I and if A = A+ then 8A3 2 Parents(Conicts(A)) J I j=t :A3g :
Note that this operator depends on I , as required by step (ii).
A formula is in negation normal form if negation is applied only to atomic formulas. This is the form of the bodies
of HTAB rules.
4
5
11
The rst four sets in the right-hand side formalize the semantics of HTAB rules the last set denes
the semantics of inheritance. The precedence of negative authorizations over positive authorizations
is obtained by inheriting A+ only when no conicting authorization B 2 Conicts (A+ ) can possibly
be inherited in turn, this is veried by checking that no parent A3 of B is valid.
As we have already pointed out, by iterating the above operator we obtain all the facts derivable
from T , given the initial guess I .
Proposition 4.1 The operator "IT is continuous, and hence i) "IT " 0 "IT " 1 : : : "IT " ! ii) the least xpoint of "IT is "IT " ! .
Thus, the initial guess is correct i I coincides with "IT " ! . So the notion of v-stable model
introduced below captures the set of derivable authorizations.
Denition 4.3 A set of time-stamped authorizations I is a v-stable model of a HTAB T i I =
"IT " ! .
Suppose that T has one v-stable model M then an authorization A should be enforced at time t i
A is valid in M at time t.
Remark 4.1 Each HTAB T is equivalent to a non-stratiable 9] logic program PT , that denes
a predicate valid(t A). The v-stable models of T and the stable models of PT are in one-to-one
correspondence.
4.1 Dynamically Stratied HTABs
A HTAB T may have multiple v-stable models, or no v-stable models at all. In this section, we
introduce conditions that guarantee that the HTAB has exactly one v-stable model (and hence a
consistent, non ambiguous semantics).
A labeled dependency graph is a graph whose nodes are authorizations from A and whose edges
are labeled with +, ; or v (accordingly, the edges are called positive, negative or variable ).
Let DGT (t) be the labeled dependency graph whose set of nodes is A and whose edges are all
and only the triples h A l B i that satisfy some of the following conditions:
(DG1) For some rule (TI P B h op i F ) 2 T such that t 2 Sol(TI P ), A occurs in F moreover, if A occurs in the scope of a negation sign (:), then l = ; , otherwise
l = +
(DG2) A 2 Conicts (A+1 ), where A+1 occurs in the body F of some rule (TI P B h op i F ) 2
T such that t 2 Sol(TI P ) moreover, if A+1 occurs in the scope of a negation sign
(:), then l = + , otherwise l = ; (DG3) A 2 Parents(B ) and l = ; (DG4) A 2 Conicts (B ) and l = v .
HTABs should satisfy the following safeness conditions . We shall prove that safeness guarantees the
existence of a unique stable model.
Denition 4.4 A HTAB T is safe if for all t 0:
1) no cycle in DG(t) contains a negative edge
2) if A B is a conicting pair, then every path from A to B in DG(t) contains a variable edge
0
(A v B 0) such that A0 =;g A and B 0 =;g B .
12
A stratication of a set of authorizations A0 A is a mapping : A0 ! f 1 : : : jA0j g . We
say that is compatible with a labeled dependency graph DG if: 1) for all edges h A l B i in DG,
(A) (B ) , and 2) if l = ; then (A) < (B ) .
In the standard logic programming setting, the existence of a stratication is equivalent to the
\safeness" of the program. On the contrary, here safeness is stronger (the second condition is not
enforced by the existence of a stratication). Intuitively, the problem is that for every conicting
pair A B , the inheritance of A depends on the absence of B and viceversa. Fortunately, this cyclic
(non-stratiable) dependency does not aect the nice properties of stratiable programs (i.e., the
existence of a unique stable model which can be computed in polynomial time).
The model of a HTAB T which satises the safeness conditions can be constructed as follows.
Let t : A ! f 1 : : : jAj g be a stratication compatible with DGT (t) . We call t a pre-stratication
of A at time t. Dene Atl = f A j t(A) = l g . A rened stratication of Atl wrt an interpretation
J is a mapping tl : Atl ! f 1 : : : jAtlj g such that for all A B 2 Atl :
1. if h A + B i belongs to DGT (t) then tl(A) tl (B ) 2. if h A+ v B i is in DGT (t) and 9B 0 2 Parents(Conicts(A)): J J j=t B 0 then tl(A) < tl (B ) 3. if h A; v B i is in DGT (t) and 6 9A0 2 Parents(Conicts(B )): J J j=t A0 then tl(A) < tl (B ) .
Note that tl is a stratication compatible with a modied version of DGT (t) , where the variable
edges over Atl have been either eliminated or turned into negative edges. The idea is that the
negative cycles involving conicting pairs can be \broken" dynamically, on the basis of the part of
model built so far (represented here by J ). The following is an important related property of rened
stratications.
Proposition 4.2 For each conicting pair A B , either tl(A) < tl(B) or tl(B) < tl(A) .
The model M is constructed through three nested iterations, over time, pre-stratication level
and rened stratication level, respectively. In order to simplify notation, we shall use as an
abbreviation of an arbitrary triple (t l i) of the form (0 0 0) or such that t 0 , 1 l jAj and
1 i jAtl j . With a slight abuse of notation, the lexicographic ordering of such triples will be
denoted by , and the immediate predecessor and successor of in this ordering will be denoted by
; 1 and +1, respectively (the reverse lexicographic ordering is denoted by ). Each time-stamped
authorization (t A) will be associated with a layer `(t A) = (t l i), where l = t (A) and i = tl(A) .
The iterative construction will be slightly generalized:
"IT " 0(J ) = J
"IT " i + 1(J ) = J "IT ("IT " i(J )) :
Intuitively, the above construction enlarges J by adding the consequences of T , whose rules can make
use of the facts in J this makes it possible to construct the model layer by layer. Finally, dene by
mutual recursion:
M = S (000) M where
M = ;1
M = "M
T " ! (M ;1) if = (0 0 0), otherwise
where
T(tli) = f (tb t] P A h op i F ) j (tb te ] P A h op i F ) 2 T t 2 Sol(tb te ] P ) tl (A) = i g
f (tb t] P A) j (tb te] P A) 2 T t 2 Sol(tb te] P ) tl(A) = i g
13
and where tl is a rened stratication of Atl wrt M(tl1);1 . Roughly speaking, T(tli) is the set
of rules and authorizations that can possibly be used to derive time-stamped authorizations whose
layer is (t l i). Note that T(tli) depends on M(tl1);1 through tl .
First, it must be shown that the above construction is well dened, by proving that pre-stratications
t and rened stratications tl exist.
Theorem 4.1 If a HTAB T satises the safeness conditions then t and tl exist for all t 0 and
for all l (1 l jAj) .
Theorem 4.2 M is the unique v-stable model of T .
Therefore, we refuse the insertion of a derivation rule if its insertion into the existing HTAB
violates the safeness condition. Denition 4.4 above gives a method to test whether a given HTAB
satises the safeness condition and hence admits a unique model. Such test is performed by checking
a set of conditions, for each instant t 0. Obviously, this test is feasible in practice only if we ensure
the existence of a nite instant t at which we can limit the test.
The particular form of our rules allows us to ensure the existence of this nite constant, denoted
in the following as max-time. max-time is determined as tmax + k Pmax , where tmax is the greater
instant corresponding to an end date expression in HTAB, Pmax is the least common multiple of
all the periodicities of the periodic expressions appearing in HTAB, and k is the maximum number
of aslongas and upon rules in HTAB plus one. The important property is that, after instant
max-time, the validity of any authorization in HTAB becomes periodic.
This can be proved as follows. Let T be a HTAB and let M be one of its v-stable model. We
denote with Ci (Conguration i) the valid authorizations, with respect to M , at instants contained in
the i-th maximum period after tmax . Formally, Ci = f(t A) j (t A) 2 M and tmax +(i ; 1) Pmax <
t tmax + i! Pmax g. Given two congurations Ci and Cj , we say that Ci and Cj are shift-equivalent
(written Ci = Cj ) if for each pair (t,A) in Ci a corresponding one (with the same authorization) can
be found in Cj by \shifting" the temporal instant t by the value (j ; i) Pmax , and vice versa.
Lemma 4.1 Let T be a HTAB. There exists an integer k such that Ck != Ck for each k > k. The
integer k is limited by one plus the number of aslongas and upon rules in T having an unbound
associated interval.
The introduction of max-time ensures that the verication of the safeness of a given HTAB
and the computation of the corresponding stratications can be done in a nite number of steps.
Intuitively, if for instants greater than max-time the validity of each authorization derived from
HTAB is periodic there is no need to consider all time instants up to 1 to verify whether a given
HTAB is safe. Lemma 4.1 implies that, if the conditions in Denition 4.4 are not satised for a
time instant t after max-time, then there exists an instant t0 , max-time;Pmax < t0 max-time,
t0 = t ; n Pmax, n 2 IN such that the conditions in Denition 4.4 are not satised also at time t0 .
To conclude this section, we introduce a simple example, to show how, in our framework, more
specic derived authorizations override inherited ones. For the sake of simplicity, we do not take into
account the temporal dimension of the framework, and consider authorizations and rules all referring
to the same, arbitrary, time instant t.
Example 4.3 Consider the subject hierarchy in Figure 1, and the following HTAB T :
(A1) (t t] ? (admin-staff d1 read ; Sam))
(A2) (t t] ? (John d1 write + Sam))
(R1) (t t] ? (John d1 read + Sam)whenever (John d1 write + Sam))
14
(admin-staff,d1,read,+,Sam)
v
-
(John,d1,read,+,Sam)
v
v
(admin-staff,d1,read,-,Sam)
-
v
(John,d1,read,-,Sam)
-
+
-
(John,d1,write,+,Sam)
v
-
v
(Bob,d1,read,+,Sam)
v
(John,d1,write,-,Sam)
v
(Bob,d1,read,-,Sam)
Figure 3: Labeled dependency graph for Example 4.3
We show that John does not inherit the denial to read d1 , since he is granted permission by
means of rule R1 .
Taking into account the fact that authorization (admin-staff d1 read ; Sam) is parent of both
(John d1 read ; Sam) and (Bob d1 read ; Sam), we draw the labeled dependency graph in Figure
3.
Based on the graph, we dene a compatible stratication of the authorization. A possible choice
is the following:
T0 = f(admin-staff d1 read ; Sam) (admin-staff d1 read + Sam)g
T1 = f(John d1 write ; Sam) (John d1 write + Sam) (Bob d1 read ; Sam) (Bob d1 read + Sam)g
T2 = f(John d1 read ; Sam) (John d1 read + Sam)g.
The model of stratum T0 is M0 = f(admin-staff d1 read ; Sam)g.
Based on this model, we can dene a rened stratication of stratum T1 , to brake v-cycles, as follows.
M0 j=t (admin-staff d1 read ; Sam), which is parent of (Bob d1 read ; Sam), that, in turn,
belongs to the set Conflicts((Bob d1 read + Sam)).
Thus, t1((Bob d1 read + Sam)) < t1((Bob d1 read ; Sam)).
There is no authorization A0 belonging to the set Parents(Conflicts((John d1 write ; Sam))) in
M0 , thus t1((John d1 write ; Sam)) < t1((John d1 write + Sam)).
Thus, (Bob d1 read + Sam) and (John d1 write ; Sam) are to be evaluated rst, possibly in parallel.
(Bob d1 read + Sam) is not derivable, thus (Bob d1 read ; Sam) will be inherited.
(John d1 write + Sam) is true, since it is explicitly stated by A2 .
It follows that the model of stratum T1 is M1 = f(Bob d1 read ; Sam) (John d1 write + Sam)g.
The authorizations in stratum T2 are then evaluated against M0 M1 . (admin-staff d1 read ; Sam) 2
Parents(Conflicts((John d1 read + Sam))), and it is true in M0 M1, thus the positive authorization in stratum T2 has to be evaluated rst. It evaluates to true, since the body of R1 is true in
M0 M1, and inheritance of the denial is therefore blocked.
5 Access Control
Determining whether an access request from subject s to exercise access mode m on object o at time
t can be authorized requires the system to verify whether an authorization (s,o,m,+,g) valid at
time t exists. Two dierent strategies can be used to enforce access control: run-time derivation
and materialization. Under the latter approach, the system permanently maintains all the valid
15
authorizations derivable from a HTAB. Access control therefore becomes very ecient in that there is
no dierence in costs between explicit and derived authorizations. As a drawback, the materialization
has to be properly updated every time the HTAB is modied or whenever an object is created or
deleted by subjects who specied rules parametric wrt the object.
Like in 1], in HTAM we have adopted the materialization approach. The main reason behind this
choice is that in real systems access requests are generally considerably more frequent than requests
modifying authorizations and/or rules. As for creation/deletion of objects subject to parametric
rules, we believe that those rules, though possible, will seldom be used in practice. As a matter of
fact, while rules parametric with respect to the access mode (allowing the owner to grant any access
on an object) or to the subject (allowing the owner to grant an access to everybody or to grant an
access if somebody can exercise it) are expected to be common in reecting real world situations, rules
parametric with respect to the object, by which a subject can grant access to all objects he/she owns
(or will own) certainly have a much stricter applicability. Moreover, the drawback of recomputing
the materialization each time an administrative operation changing the HTAB is performed can
be partially overcome by the development of incremental maintenance algorithms, which modify
only the portions of the materialization actually inuenced by the administrative operation. Such
algorithms can be developed using the same strategies employed for the development of analogous
algorithms for the models in 1], whose eectiveness has been proved by the performance evaluation
results reported in 8].
In the following we illustrate how to compute the valid authorizations for a given safe HTAB T .
Lemma 4.1 guarantees that derivation of authorizations can be performed only for instants smaller
than or equal to the nite constant max-time. Given an instant t > max-time an authorization (t,A)
belongs to the model M of T i there exists an instant t0 such that max-time ;Pmax < t0 max-time,
t = t0 + n Pmax , n 2 IN, and (t0 ,A) 2 M . However, there are many cases in which it is not necessary
to compute !the model up to max-time. Indeed, given two congurations Ci and Cj , i 1, Ci !
= Ci+1
implies Ci = Cj for each j > i. (This is formally proved as part of the proof of Lemma 4.1).
Therefore,
we can limit the computation at the rst instant t such that t = tmax + (i + 1) Pmax and
!
Ci = Ci+1 and then use this model to check the validity of any authorization for each instant t 0.
Given a model M , we call the compact version of M , denoted as M C , the subset of M satisfying the
above condition.
Figure 4 presents an algorithm to compute the compact version of the model of a HTAB T which
satises the safeness condition.
Algorithm 4 is based on the model computation given in Section 4.1. It computes the dierence
between M(tl0) and M(tl+10) (for increasing l and t) by transforming the part of the HTAB relevant
to time t and level l + 1 into a HTAB without inheritance. For this purpose, for all sets of timestamped authorizations M , for all time instants t and levels l let:
HTAB(M ) = f (t t] ? A) j (t A) 2 M g INH (M t l) = f (t t] ? A whenever F ) j t (A) = l 9A1 2 Parents(A):M j=t A1 if A = A+^then 8A2 2 Parents(Conicts(A)) M 6j=t A2 F=
:B g B 2Conicts(A)
T (t l) = f (tb t] P Ah op iF ) j (tb te ] P Ah op iF ) 2 T
t 2 Sol(begin end] P) t (A) = l g f (tb t] P A) j (tb te ] P A) 2 T
t 2 Sol(begin end] P) t (A) = l g :
Intuitively, HTAB (M ) transforms its argument (that will be the part of the model already computed)
into an equivalent HTAB INH (M t l) transforms the applicable inheritance rules into explicit
16
Algorithm 5.1
INPUT: A HTAB T satisfying the safeness condition
OUTPUT: The compact version M C of the model M of T
METHOD:
1. Let tmin be the minimum instant corresponding to a begin date expression in T
2. Let tmax be the greater instant corresponding to an end date expression in T
3. Let Pmax be the lcm of all the periodicities of the periodic expressions in T
4. Let k be the maximum number of aslongas and upon rules in T plus one
5. max-time := tmax + k Pmax , k := 1, success := false, M C := 6. Compute t , for each t such that tmin t tmax + Pmax
7. Repeat
k := k + 1, current max := tmax + k Pmax
Compute t , for each t such that current max ; Pmax < t current max
For t:= tmin to current max do
Let l := maxfl j l = t (A)g
For i := 1 to l do
Let Tti := T (t i) INH (M C t i) HTAB (M C )
Let L1 : : : Lh be a stratication of Tti
For j := 1 to h do
Let Ttij := f (tb t]P Ah op iF ) j (tb t]P Ah op iF ) 2 Tti (t A) 2 Lj g f (tb t] PA) j (tb t] PA) 2 Tti (t A) 2 Lj g
Repeat
For each x 2 Ttij do
If x = (tb t] PAh op iF ) and 8B ; 2Conflicts(A) (t B ; ) 62 M C then
If op = whenever and M0 C j=t F0 then Cadd (t A) to M C
If op = aslongas and 8t tb t t M j=t0 F then add (t A) to M C
If op = upon and 9t0 tb t0 t such that M C j=t0 F then add (A t) to M C
endif
If x = (tt] P A) and 8B ; 2Conflicts(A) (t B ; ) 62 M C then add (t A) to M C
C
Until M does not change
endfor !
If Ck;1 = Ck then success := true
Until success or current max > max-time
Figure 4: An algorithm for computing the compact version of the model of a HTAB
rules T (t l) is the restriction of T 's rules and authorizations to layer l at time t. Finally,
for all t l s.t. t + l > 0, let:
Ttl = T (t l) INH (M(tl0);1 t l) HTAB(M(tl0);1).
The next theorem states that the above transformation yields a well-behaved HTAB that captures
exactly level l at time t.
Theorem 5.1 For all t l s.t. t + l > 0, i) Ttl is a stratied HTAB ii) the stable model of Ttl agrees
on validity with M(tl+10);1 .
The complete algorithm works as follows. First, it computes t for each instant t between tmin and
current max, where tmin is the minimum instant corresponding to a begin date expression in HTAB
and current max is initially set equal to tmax +Pmax and incremented by Pmax at each iteration. Then,
for each level l of the stratication and for each instant t between tmin and current max, the algorithm
transforms the part of the HTAB relevant to time t and level l into a HTAB without inheritance
(using the method sketched above). According to Theorem 5.1 the resulting HTAB is stratied.
whenever
17
Thus, we can apply the techniques developed for such HTABs 1] to compute a stratication for
level l, as well as the authorizations of level l derivable from the HTAB at time t. Intuitively, the
algorithm presented in 1], receives as input a stratiable HTAB and returns a sequence of levels
L1 : : :Lh representing a partition of the set of pairs (t A) for each authorization A appearing in
HTAB and tmin t current max. The levels of the authorizations are determined by considering
the dependencies among authorizations caused by derivation rules and negative authorizations. The
intuitive semantics of the levels is that given two authorizations Ai and Aj and two instants th and
tk , if the level of authorization Ai at time th is lower than the level of Aj at time tk , then the validity
of Ai at time th must be evaluated before the validity of Aj at time tk . This implies, for instance,
that a positive authorization is always at a higher level than its negative counterpart.
Then the algorithm considers the computed time-stamped authorizations in two contiguous time
intervals after tmax of length equal to Pmax and checks whether these sets are shift-equivalent. If not,
and if the considered interval does not exceed max-time, it proceeds with another iteration of the
Repeat-until cycle, generating a larger model using the constant of the previous iteration increased
by Pmax . Otherwise, the Repeat-until cycle terminates.
In practice, we expect the algorithm to terminate at the rst iteration in most cases.
The following theorem states the termination and the correctness of Algorithm 5.1.
Theorem 5.2 i) Algorithm 5.1 terminates and ii) an authorization A is valid at time t i one of
the following conditions holds. Let t^ be the greatest instant appearing in a time-stamped authorization
in M C , and let t be the minimum instant such that ^t t and t = tmax + n Pmax , n 2 IN.
t t^, and (t,A) 2 M C t > ^t, and there exists an instant t0, t ; Pmax < t0 t such that t0 = t ; k Pmax and (t0 A)
2 MC.
Proof. An immediate consequence of the proof of Lemma 4.1 and Theorem 5.1.
6 Combining Heterogeneous HTABs
Suppose that z dierent HTABs (each based on dierent hierarchies of subjects and objects) are
given, and consider the problem of combining them into one federated system.
In general such a task can be quite complex. Dierences and conicts may arise in the names
used for objects and subjects, in the way objects and subjects are hierarchically organized, in the
authorization policies stated in each HTAB. Because the detection and solution to conicts and the
reconciliation of dierences strictly depend on the application semantics, automatically executing the
complete integration process of several heterogeneous HTABs is not feasible. An alternative approach
is to provide an integration methodology, that identies the various steps of the integration process,
and develop proper tools supporting these steps. We have thus adopted this approach.
The methodology we propose is based on the following steps, which are graphically illustrated in
Figure 5:
1. Constraint Specication. The security administrator relates the dierent hierarchies by
means of a set of declarative constraints (e.g., stating that two roles in two dierent hierarchies
should be regarded as the same role, or stating that a certain class of objects includes another
class of objects in another hierarchy).
2. Consistentcy Check. The constraints' consistency is automatically checked. If an inconsistency is found, the constraints that led to the inconsistency are shown to the security administrator, who can modify them and then repeat the consistency check.
18
Security Officer
Constraint
Specification
Constraint
Base
Consistency
Check
HTAB1
.......
Global Hierarchy
Generation
HTABn
HTAB2
HTABs
Normalization
Global
HTAB
Safeness
Check
Figure 5: A methodology for combining heterogeneous HTABs
3. Global Hierarchy Generation. Eventually, when all constraints are consistent, the system
automatically derives combined (or \global") subject and object hierarchies, upon which the
HTAB for the federated system will be built.
4. HTABs Normalization. Each HTAB is mechanically \normalized", by replacing subjects
and objects with the corresponding entities in the global hierarchies. The union of all normalized HTABs constitutes the (tentative) global HTAB.
5. Safeness Check. The safeness check is executed on the global HTAB. If safeness is violated,
then the set of rules responsible for the violation is returned to the security administrator, who
can remove some of those rules to restore safeness. This step is repeated until the global HTAB
is safe.
In the following, we describe the techniques to realize each of the above steps. Such techniques
are the basis for the development of tools supporting the methodology.
6.1 Constraint Specication
Recall that subject and object hierarchies are two partial orders (S vS ) and (O vO ). Informally
speaking, given z dierent HTABs T1 : : : Tz , such that each Ti is based on two hierarchies (Si vSi )
and (Oi vOi ), we would like to construct two global hierarchies (S g vgS ) and (Og vgO ) that take
into account and semantically merge the given hierarchies.
Example 6.1 Figure 6 shows two dierent subject hierarchies, to be merged. The rst one, is the
subject hierarchy introduced in Figure 1 the second one describes the structure of an administration,
19
subjects
managers
administration
staff
admin-staff
research-projectsadmin
tech-staff
Mary
Ann
John
Bob
financialadmin
Cleo
Victor
Charles Antony
Dan
Figure 6: Two subject hierarchies (S1 v1) and (S2 v2)
whose members' activity concerns the management of research projects, and the management of
ordinary administrative tasks, such as the payrolls of the employees, etc.
Assume that the two hierarchies - initially concerning two independent companies - have to be
merged, since one company is integrated into the other, and all the employees, from both companies,
become employees of the new one.
Assume that, in the resulting hierarchy, admin-staff from the rst company has to be considered
the same as administration in the second one, and that we want that, in the new organization,
Ann and John become members of the group working on research projects, while Bob takes care of
ordinary nancial problems. Later, in Example 6.2, we will show how this may be captured within
our framework.
In the following, we denote with (H1 v1) : : : (Hz vz ) a given set of hierarchies that should be
combined. Such hierarchies may be either all subject hierarchies or all object hierarchies the two
kinds of hierarchies will be treated in the same way as far as merging is concerned. In our framework,
we will merge the given hierarchies into a new hierarchy in such a way that certain constraints are
preserved. These constraints (expressed by the security administrator) express relationships between
subjects or objects in dierent hierarchies, thus providing us with information on how these dierent
hierarchies are linked. In order to avoid confusion, we will write x : i to denote the subject or object x
of the ordering (Hi vi ) . Constraints that can be specied by the security administrator are formally
dened as follows.
Denition 6.1 An interoperation constraint set is a set of statements of the form x : i y : j or
x : i 6 y : j where x 2 Hi and y 2 Hj and i 6= j . Sometimes, two constraints of the form x : i y : j
and y : j x : i will be abbreviated to the single constraint x : i = y : j . Similarly, x : i y : j and
y : j 6 x : i will be abbreviated to x : i y : j .
Example 6.2 Returning to the subject hierarchies of Figure 6 (cfr. also Example 6.1), assume that
admin-staff of the hierarchy (S1 v1 ) and administration of hierarchy (S2 v2) are identical, and
that we want Ann and John from the rst hierarchy to be below research-projects-admin in the
second, and Bob from the rst hierarchy to be below financial-admin in the second.
In this case, we have the following members in our interoperation security constraint set:
admin-staff:1= administration:2
20
research-projects-admin:2
research-projects-admin:2
financial-admin:2
Given the hierarchies (H1 v1) : : : (Hz vz ) , and a set of interoperation constraints IC, we have to nd
a new, global security ordering (H ) and a family of translation functions i : Hi ! H (1 i z ) .
For each element x 2 Hi , i(x) is the corresponding element in the global hierarchy (H ). The
Ann :1
John :1
Bob :1
global ordering and the translation functions should satisfy the following two conditions:
(C1) the original orderings are preserved, i.e., for all x y in any given Hi ,
i(x) i(y ) $ x vi y (C2) the interoperation constraints are satised, that is,
(x : i y : j ) 2 IC ! i(x) j (y ) (x : i 6 y : j ) 2 IC ! i(x) 6 j (y ) :
Denition 6.2 A set of hierarchies H = f (H1 v1) : : : (Hz vz ) g is said to be combinable wrt a set
of interoperation security constraints, IC, i there exist a partially ordered set (H ) and a family
of translation functions i : Hi ! H (1 i z ) , such that conditions C1 and C2 hold. In this case,
we say that (H ) 1 : : : z constitute a witness to the combinability of H.
Example 6.3 Let us return to the hierarchies of Figure 6 and the interoperation security constraints
of Example 6.2. The partial ordering shown in Figure 7 constitutes a witness to the combinability
of such orderings, together with the following translation functions: 1 : S1 ! S is the identity
function, while 2 : S2 ! S is the mapping:
7!
7!
administration
admin-staff
research-projects-admin research-projects-admin
financial-admin financial-admin
Mary
Mary
Victor
Victor
Charles
Charles
Antony
Antony
7!
7!
7!
7!
7
!
Example 6.4 Let us return to the hierarchies of Figure 6 and consider the situation when the
interoperation constraint set contains the statements:
admin-Staff :1 =administration :2
administration :2
These orderings are not combinable with respect to the above interoperation constraints. In fact,
staff :1 administration :2 = admin-staff :1 , thus staff :1 admin-staff :1
This violates the principle of preservation of the given orderings, (C1), because staff is not smaller
staff :1
than admin-staff in S1 .
The above formalization of the combinability of subject and object hierarchies is isomorphic to
combinability of security levels, studied in 3]. Consequently, we can simply import the methodology
and results from 3]. Among the two combinability checking methods introduced in 3], here we adopt
the one based on graph algorithms, because of its eciency (cfr. 3]). Such technique is illustrated
in the following section.
21
subjects
managers
staff
admin-staff
research-projectsadmin
Ann
John
Mary
Victor
tech-staff
financial
admin
Charles
Bob
Antony
Cleo
Figure 7: A security ordering that merges (S1 v1) and (S2 v2)
Dan
6.2 Consistency Check and Global Hierarchy Generation
The consistency check step of our methodology (cfr. Figure 5) is based on graph algorithms. The
method we propose relies on the notion of graph associated with a set of hierarchies and interoperation
constraints, formally dened as follows.
Denition 6.3 3] The graph associated with H = f (H1 v1) : : : (Hz vz ) g and IC is G = (V E ),
where V (the set of vertices) is the set of all x : i such that x 2 Hi (1 i z ) , and where E (the
set of edges) is the set of all ordered pairs (x : i y : j ) such that either
(1) i = j and there is an edge from x to y in the Hasse diagram of Hi , or
(2) i 6= j and (x : i y : j ) 2 IC .
The basic idea is that if two hierarchy elements belong to a cycle in G, then the two elements must
be identied to satisfy C1 and C2. This leads to the following denition.
Denition 6.4 3] The G-canonical hierarchy associated with H is (H + +) , where H + is the set
of strongly connected components6 of the graph G associated with H, and x + y holds i x = y or
there is a directed path in G from a member of x to a member of y . The canonical translations i+
are dened by
i+(x) = x : i] where x : i] denotes the strongly connected component containing x : i .
The G-canonical hierarchy can be used to verify combinability, and, if H is combinable, provides a
natural witness to combinability, as shown by the following result:
Here, with a slight abuse of notation, we identify the strongly connected components of a directed graph with the
maximal sets C of vertices such that each member of C can be reached from any other member of C through a directed
path.
6
22
Theorem 6.1 3] H is combinable i the corresponding canonical hierarchy (H + +) and the canonical translations 1+ : : : z+ , constitute a witness to the combinability of H.
Moreover, if H is combinable, then (H + + ) 1+ : : : z+ is a maximally conservative and parsimonious witness.7
For example, the combined ordering and the translation functions illustrated in Example 6.3 are
isomorphic to the canonical hierarchy and functions for that example just rename each node in the
hierarchy with the set of corresponding original elements { e.g. admin-staff in Figure 7 should be
renamed to fadmin-staff : 1 administration : 2g.
By using the G-canonical ordering, combinability can be checked in almost quadratic time.
Theorem 6.2 3] Let n be the number of vertices of G , that is, n = Pzi=1 jSij .
(i) Deciding combinability can be done in time O(n2 log n) .
(ii) The canonical ordering (H + + ) can be computed in time O(n2 ) .
The proof of the above theorem (3, Theorem 17]) provides an algorithm for checking combinability
and building the canonical ordering. So, when the given set of hierarchies H is combinable wrt
the constraints IC, such algorithm provides both the consistency check and the automated global
hierarchy generation (ie. steps 2 and 3 of our methodology).
Now suppose that the given hierarchies H = f (H1 1) : : : (Hz z ) g are not combinable wrt
IC. By Theorem 6.1, the canonical hierarchy and translations are not a witness, that is, some of the
combinability conditions C1 and C2 must be violated:
If C1 is violated, then there exist an index i, 1 i z, and x y 2 Hi, such that x 6i y but
x : i] + y : i] (i.e., the global hierarchy contains a new dependency between two elements of
some given hierarchy). In this case, by denition of canonical hierarchy, the graph G associated
with H and IC contains a path from x : i to y : i. Since these elements were not originally
linked in this way, the path must contain some edges corresponding to positive constraints of
IC (cfr. Denition 6.3.(2)). We call such constraints critical positive constraints. Clearly, by
removing enough critical positive constraints, C1 can be enforced.
If C2 is violated, then some negative constraint of IC must be violated (positive constraints
are satised by construction, cfr. Denition 6.3.(2)). We call such constraints critical negative
constraints.
Our methodology prescribes that the security administrator is given the list of critical (positive
and negative) constraints then he/she can remove some of them and repeat the combinability check
until the constraints are consistent with the given hierarchies.
Alternatively, the security administrator may apply some of the automated relaxation methods
investigated in 3].
A witness is said conservative if it introduces, in the merged ordering, an equality or an inequality relation between elements from dierent orderings only if doing so is absolutely necessary to satisfy the combinability conditions.
Formally, a witness (H ) 1 : : : z of the combinability of H wrt IC is maximally conservative i, for all other
such witnesses (S ) 1 : : : z , i (x) j (y) ! i (x) j (y). Besides, a witness is said parsimonious if it does
not contain useless elements, in the sense that each element in the witness corresponds to some element in one of the
given hierarchies. Formally, a witness (H ) 1 : : : z of the combinability of H = f (H1 1 ) : : : (Hz z ) g is
parsimonious i for all x 2 H , there exists x : i such that x = i (x).
7
23
B+
A+
B-
C+
A-
D+
C-
E+
D-
F+
E-
F-
Figure 8: Two authorization hierarchies (A1 v1) (A2 v2)
6.3 HTAsB Normalization and Safeness Check
Given global, combined subject and object hierarchies, the next (fourth) step in the methodology consists of substituting the global subject and object classes for the original ones (HTABs Normalization).
Formally, let T1 : : : Tz be the original HTABs, based on subject hierarchies (S1 v1) : : : (Sz vz ) and
object hierarchies (O1 v1 ) : : : (Oz vz ), respectively. Let 1+ : : :
z+ be the translation functions from
the original hierarchies to the global ones, that will be denoted by (S + v+S ) and (O+ v+O ). For
1 i z , let Ti+ be the result of uniformly replacing each subject/object x with the global subject/object i+ (x) in Ti. In this context, the global HTAB associated with T1 : : :Tz is
T g def
=
z T
i=1
+
i
:
Intuitively, this is the HTAB to be used for access control at the federation level. Of course, we
have to make sure that the global, combined HTAB T g enjoys the safeness property, which guarantees
that T g is not ambiguous and well dened. So we enter the last step of our methodology (Safeness
Check). The automated safeness check is run on T g . If T g is not safe then the following critical rules
are identied. Since T g is not safe some of the following conditions hold:
The rst condition of Denition 4.4 is violated. Therefore, some cycle of the dependency
graph DGT g (t), for some t in the materialized period, contains a negative edge. The rules of
T g that caused the introduction of such cycle's edges (cfr. conditions DG1 and DG2 before
Denition 4.4) are called critical rules of kind 1. Note that the other possible edges (cfr. DG3
and DG4) link parents to their children, and link conicting pairs, so there can be no forbidden
cycles without a critical rule of kind 1.
The second condition of Denition 4.4 is violated. Therefore, some path in the dependency
graph DGT g (t) (for some t in the materialized period) links a conicting pair but contains no
variable edge with the required properties. The rules corresponding to such path's edges are
called critical rules of kind 2. Clearly, any such forbidden path must contain edges introduced
by DG1 or DG2, and hence some critical rule of kind 2 exists.
Critical rules of both kinds are automatically identied and then presented to the security administrator, who can delete some of them and then go back to the safeness check. This process is repeated
until T g is safe.
Example 6.5 Let HTAB1 and HTAB2 be two simple hierarchical temporal authorization bases.
Let (A1 v1), and (A2 v2), in Figure 8 be the hierarchies induced by the corresponding hierarchies
over subjects and objects, on the authorizations in HTAB1 and HTAB2 respectively.
When the two HTABs are integrated, the canonical orderings among subjects and objects induce
a corresponding canonical ordering (A ) among authorizations.
24
D-
B-
v
-
v
v
v
D+
-
-
B+
-
+
-
-
-
-
+
A+
C+
v
v v v
AC-
E+
-
v
v
E-
+
F+
v v
F-
Figure 9: Dependency graphs for HTAB1 and HTAB2
To show the behaviour of the algorithm, we refer directly to the latter one, and abstract from
the temporal component of the rules. Assume the two HTABs contain the following two sets of
derivation rules, respectively:
Rules1 = f (A whenever B), (C whenever A) g
Rules2 = f (E upon : F)g.
The dependency graphs corresponding to the two (safe) HTABs are shown in Figure 9.
Now assume that, in the canonical ordering induced on the integrated HTABs the following
equalities hold: B = D, A = E, and C = F.
The integrated set of rules is then the following:
Rulesintegr = f (A whenever B), (C whenever A), (A upon : C) g.
The corresponding dependency graph is shown in Figure 10, and contains a negative cycle (from
A+ to A- to A+). Dashed arcs in Figure 10 correspond to arcs coming from the dependency graph
for HTAB2.
The security administrator is notied that the rst condition of the denition of safeness is
violated, because of the critical rules of kind 1 (C whenever A) and (A upon : C) (that introduce
the two negative edges from A; to C+ and from C+ to A+ , respectively, by DG2). The administrator
may choose to drop any of them.
The same integrated HTAB violates also the second condition of the denition of safeness, since
the dependency graph contains the path A- C+ A+ that connects two conicting pairs, but does not
contain any variable edge. So (C whenever A) and (A upon : C), in this example, are also critical
rules of kind 2.
7 Related work
The introduction of temporal features in access control on one side, and the use of logical formalisms
for specifying authorizations, on the other side, have been addressed by other research eorts. In
particular, the Kerberos 13] system, based on client-server architecture, provides the notion of ticket,
with an associated validity time. The span of the validity time is chosen by the administrator based
on a trade-o between security and convenience (a typical choice is a span of 8-24 hours for all
tickets). The ticket is used by a client to require a service from a particular server. Associating a
validity time to the ticket saves the client from the need to acquire a ticket for each interaction with
the same server. Thus, the scope of the temporal ticket mechanism is very dierent from our access
control model. In Kerberos the ticket is only used to denote that a client has been authenticated
by the authentication server, and cannot be used to grant access to specic documents or resources
25
-
-
v
+
A-
v
A+
B+
-
v
Bv
+
-
+
C+
v v
C-
Figure 10: Dependency graph for the integration of HTAB1 and HTAB2
managed by the server.
From the side of logical formalisms for security specications, Woo and Lam in 17] propose a
very general formalism for expressing authorization rules. Their language does not have explicit
constraints to deal with temporal information. However, the generality of their language, which
has almost the same expressive power of rst order logic, makes it possible to model temporal
constraints. The main drawback is that the trade-o between expressivity and eciency seems
to be strongly unbalanced in their approach. Jajodia et al. in 10] propose a logic language for
expressing authorization rules and show how this language can express most of the access control
policies provided by the access control mechanisms proposed so far in the literature. However, their
language is not able to express temporal and periodic authorizations. Another important dierence
is that they have to distinguish explicit authorizations from derived authorizations, in such a way
that a general authorization can never be overridden by a more specic one if the latter is derived
through an inference rule. The complex machinery we adopt allows specic derived authorizations
to override more general ones (cfr. Example 4.3).
The development of exible authorization models has been addressed in other papers 2, 14].
However none of these proposals support a complete set of features as our model, nor do they
provide a formal foundation to their models.
Other related work are in the eld of access control models for federated database systems. In
the model proposed by Jonscher and Dittrich 7] authorizations (both positive and negative) are
specied at the federated (i.e., global) level and then inherited at the local sites composing the
federation. Propagation of authorizations from global to local levels may cause inconsistency of
authorizations at the local level. However, the grantor of an authorization at the global level can
require that a global authorization is inserted only if all the local grants derived from the global
authorization can be enforced (i.e., they do not cause an inconsistency). In the Mermaid system
15], local DBMSs specify the objects they wish to export at the global level. These objects are
then used to built a single federated schema. Authorizations can be specied both at the global
and at the local level. Users have both a global and a local identity. The global identity is used to
perform global access control, whereas access control at the local level is performed with respect to
the local identity of subjects. In the model proposed in 4], users can decide which of their objects are
shared with the federation and can choose among dierent administration policies for their exported
26
objects (for example, they can choose to retain the privilege of specifying authorizations on objects
or delegate this right to the federation administrator). Access authorizations can be specied both
at the global and at the local level. Local authorizations can also be negative, and this allows users
to retain complete control over their objects even when access administration has been delegated to
the federation administrator. In the model by Wang and Spooner 16] a user has a single identity
which is used both at the global and the local level. Interactions between the local and global levels
are managed by the Global Functional Module (GFM). Authorizations to access global objects are
specied at the global level and then inherited at the local levels. When a user submits a request
to access a global object, the GFM decomposes this access request into subrequests to be submitted
at the local sites. Other related work have been carried out in the context of the IRO-DB project
5], whose goal is the development of a system supporting interoperable access between relational
and object-oriented databases. Interoperation is achieved through an interoperable layer with the
aim of integrating the schemata of the various databases into a unied schema. The IRO-DB access
control mechanism is located at the interoperable layer. The authorization model supports positive
and negative authorizations, role based authorizations as well as explicit and derived authorizations.
Moreover, a resolution policy is provided to deal with conicts possibly arising between positive and
negative authorizations.
The focus of our work is dierent from all the above proposals, where the emphasis is the development of administration policies for the management of the federation, regulating how objects can be
exported in the federation, who can specify authorizations at the global level, or how authorizations
propagate among local and global levels. By contrast, our work is mainly focused in how to support
temporal authorizations in heterogeneous, distributed systems. However, administration facilities
like the ones proposed in the work discussed above can be easily incorporated into our framework
and we plan to extend our access control model to cover the above-mentioned aspects.
8 Conclusions
In this paper we have presented a powerful authorization mechanism which provides support for
periodic authorizations, user-dened derivation rules, and the hierarchical organization of subjects
and objects. From the authorizations explicitly specied, additional authorizations are automatically
derived by the system based on those hierarchies.
We have given a solution to the problems related to the simultaneous presence of inheritance and
derivation rules. The notion of safeness guarantees that the HTAB is consistent and unambiguous.
Moreover, we have provided an eective algorithm for computing a compact version of the unique
model of safe HTABs and we have provided a methodology and related techniques for integrating
dierent HTABs into one (global) federated authorization base.
Sometimes, in the presence of ambiguities, it may be possible to select one stable model of
the HTAB, by taking into account additional information, such as the grantors of the conicting
authorizations, or priorities dened over access modes. This will be the subject of future work.
Another research direction we plan to work on is the development of tools supporting the security
administrator in the integration process.
References
1] E. Bertino, C. Bettini, E. Ferrari, and P. Samarati. An Access Control Model Supporting
Periodicity Constraints and Temporal Reasoning. ACM Trans. on Database Systems, 23(3)
(1998), 231{285.
27
2] E. Bertino, S. Jajodia, and P. Samarati. Supporting Multiple Access Control Policies in Database
Systems. In Proc. of the IEEE Symposium on Research in Security and Privacy, Oakland, CA,
1996.
3] P. Bonatti, M. L. Sapino, and V. S. Subrahmanian. Merging Heterogeneous Security Orderings.
Journal of Computer Security, 5(1) (1997), 3{29.
4] S. De Capitani di Vimercati and P. Samarati. Authorizations in Federated Database Systems.
Journal of Computer Security, 5(2) (1997), 154{188.
5] W. E%mayr, F. Kastner, G. Pernul, S. Preishuber, and A. Min Tjoa. Authorization and Access
Control in IRO-DB. In Proc. of the 12th International Conference on Data Engineering, New
Orleans, Louisiana, 1996.
6] M. Gelfond and V. Lifschitz. The Stable Model Semantics for Logic Programming. In Proc.
Fifth International Conference and Symposium on Logic Programming, Seattle, 1988.
7] D. Jonscher and K.R. Dittrich. An Approach for Building Secure Database Federations. In
Proc. 20th Conference on Very Large Databases (VLDB'94), Santiago, Chile, 1994.
8] E. Ferrari, E. Bertino, C. Bettini, A. Motta, and P. Samarati. On Using Materialization Strategies for a Temporal Authorization Model. In Proc. Post-SIGMOD Workshop on Materialized
Views: Techniques and Applications Proceedings, Montreal, Canada, 1996.
9] T.C. Przymusinski. On the Declarative Semantics of Deductive Databases and Logic Programs.
Foundations of Deductive Databases and Logic Programming, Morgan Kaufmann Publishers,
1987.
10] S. Jajodia, P. Samarati, V.S. Subrahmanian, and E. Bertino. A Unied Framework for Enforcing
Multiple Access Control Policies. In Proc. of the ACM SIGMOD Int'l Conf. on Management of
Data, Tucson, AZ, 1997.
11] L. Gong and X. Qian. Computational Issues in Secure Interoperation. In IEEE Trans. on
Software Engineering 22(1) (1996), 43{52.
12] M. Niezette and J. Stevenne. An Ecient Symbolic Representation of Periodic Time. In Proc.
of the First International Conf. on Information and Knowledge Management, Baltimore, MD,
1992.
13] J. G. Steiner, C. Neuman, and J. I. Schiller. Kerberos: An Authentication Service for Open
Network Systems. In Proc. of the USENIX Conference, Dallas, TX, 1988.
14] F. Rabitti, E. Bertino, E. Kim, and D. Woelk. A Model of Authorization for Next-Generation
Database Systems. ACM Trans. on Database Systems, 16(1) (1991), 88{131.
15] M. Templeton, E. Lund, and P. Ward. Pragmatics of Access Control in Mermaid. Data Engineering Bulletin, 10(3) (1987), 33{38.
16] C. Wang and D.L. Spooner. Access Control in a Heterogeneous Distributed Database Management System. In Proc. IEEE Symposium on Security and Privacy, Oakland, CA,1987.
17] T.Y.C. Woo and S.S. Lam. Authorizations in Distributed Systems: A New Approach. Journal
of Computer Security, 2(2 & 3) (1993), 107{136.
28
A Main Proofs
Lemma 4.1 Let T be a HTAB. There exists an integer k such that Ck != Ck for each k > k. The
integer k is limited by one plus the number of aslongas and upon rules in T having an unbound
associated interval.
Proof. In proving the theorem we assume that the boolean formula F appearing on the right hand
side of the temporal operator in a derivation rule is in disjunctive normal form. To prove the thesis it
is sucient to consider the derivation of pair (t,A) at instants greater than tmax . Since any derivation
of a pair (t,A) with t > tmax is possible only through a rule or an authorization with an unbound
associated interval (that is, an interval of the form begin,1]), we only consider authorizations and
rules in T with an unbound associated interval. The proof is articulated in three main steps:
1. Ci !
6= Ci+1 implies that there exists a rule in T and two instants t and t0 in the i-th period with
t < t0 , such that (i) either the rule operator is aslongas and the rule res at t and not at t0 , or
(ii) the operator is upon and the rule does not re at time t, while it res at time t0 . Intuitively,
this statement says that, in the i-th period, either an aslongas rule \expires" or an upon
rule \triggers". To prove this statement we rst!note that if only explicit authorizations and
whenever rules are present in HTAB, then Ci = Ci+1.
Hence, Ci !
6= Ci+1 implies the existence of an aslongas rule Ra or of an upon rule Ru,
and of an authorization A such that the rule derive (t,A) and not (t+Pmax A), or viceversa.
Consider rst the aslongas case with Ra = (begin, 1], P, A aslongas F ), and let t0
with t < t0 t+Pmax be the rst instant in Sol(begin,1],P) for which rule Ra cannot derive
(t0 A). Thus, there exists a conjunct L in F such that either i) L = A0 and (t0 ,A0) 62 M or ii) L
= :A0 and (t0 ,A0) 2 M . t0 could be in the i-th period, in which case the above statement would
be proved, or in the (i + 1)-th period. In this last case, since it is the rst instant, we have
that either i) L = A0 (t0 ; Pmax ,A0) 2 M and (t0 ,A0) 62 M or ii) L = :A0 (t0 ; Pmax ,A0) 62 M and
(t0,A0 ) 2 M . Then, we can recursively apply the same reasoning for L as for (t A). It is easily
seen that, eventually, either we nd an aslongas rule that \expires" in the i-th period, or
we nd a conjunct derived by an upon rule.
A similar reasoning can be done for the upon rule case, i.e., we consider the rst instant t0 in
the i-th period for which the rule Ru can derive (t0 A). Eventually, either we nd an upon rule
that \triggers" in the i-th period, or we nd a conjunct derived by an aslongas rule. Hence,
the statement in item 1 holds.
2. Given two pairs (Ci Ci+1) and (Ck Ck+1) such that Ci !
6= Ci+1 and Ck !6= Ck+1, the rules expiring (triggering, resp.) in the i-th period and in the k-th period, as stated above, are dierent
aslongas (upon resp.) derivation rules in HTAB. Indeed, consider the case of aslongas.
We assume, without loss of generality, that i < k. Let Ra = (begin, 1], P, A aslongas F )
be one of the aslongas rules expiring in the i-th period, and let t0 2 Sol(begin,1],P) be the
rst instant in the i-th period, such that Ra cannot be red to derive (t0 ,A). Hence, at least
one of the conjunct L in F is such that either i) L = A0 and (t0 ,A0) 62 M or ii) L = :A0 and
(t0,A0 ) 2 M . It is easily seen from the semantics of aslongas that this rule cannot be used
anymore to derive authorization A, that is, there cannot exist an instant t00 > t0 such that (t0 ,A)
2 M and (t0,A) is derived from Ra. Suppose, by contradiction, that the rule Ra can be used to
derive (t00,A), with t00 in the (k + 1)-th period. Let us consider the conjunct L in F considered
above. Suppose that i) holds (the proof for ii) is analogous) that is, L = A0. Thus, (t ,A0)
2 M 8t 2 Sol(begin,1],P), t t00. Thus, (t0,A0) 2 M , which is clearly a contradiction. The
arguments for upon are similar and we omit them. This proof immediately leads to the result
29
that the maximum number of `dierent" Cis is limited by one plus the maximum number of
aslongas and upon rules in HTAB. Indeed, each rule can be responsible for (at most) one
relation Ci !
6= Ci+1.
3. Ci !
=
Ci+1 implies Ci !
= C!j for each j > i. To prove this statement it!is sucient to show
that
!
!
Ci = Ci+1 implies Ci+1 = Ci+2 . Suppose by contradiction that Ci = Ci+1 but Ci+1 6= Ci+2.
By item 1 above, this means that there exists a rule in HTAB and two instants t and t0 in the
(i + 1)-th period with t < t0 , such that (i) either the rule operator is aslongas and the rule
res at t while it does not re at t0 , or (ii) the operator is upon and the rule does not re at
t, while it res at t0. Consider case (i), and let (t!A) be the pair derived by the rule. Hence,
(t A) 2 Ci+1 and (t0 A) 62 Ci+1. However, since Ci = Ci+1 , then (t0 ; Pmax A) 62 Ci . This means
that rule expired in the i-th period and this contradicts the fact that the same rule can derive
(t A) in the (i + 1)-th period. Consider case (ii), and let (t0 A) be the pair derived by the rule.
Hence, (t0 A) 2 Ci+1 and (t A) 62 Ci+1. However, since Ci !
= Ci+1 , then (t0 ; Pmax A) 2 Ci.
This means that rule triggered in the i-th period and this contradicts the fact that the same
rule cannot derive (t A) in the (i + 1)-th period.
From items 2 and 3, we can easily conclude the thesis.
Proposition 4.2 For each conicting pair A B , either tl(A) < tl(B) or tl(B) < tl(A) .
Proof. For all conicting pairs A B , both (A v B) and (B v A) belong to DG(t). First suppose
that A is positive if 9B 0 2 Parents(Conicts(A)): J J j=t B 0 then (A) < (B ) by condition 2 of the
denition of rened stratication, otherwise (B ) < (A) by condition 3 of the same denition. The
case where A is negative is symmetric.
Theorem 4.1 If T satises the safeness conditions then t and tl exist for all t 0 and for all l
(1 l jAj) .
Proof.
Claim. For all graphs G with vertices V there exists a function : V ! f 1 : : : jV j g such that
1. if there is a path from A to B in G then (A) (B ) 2. if (A) = (B ) , then A and B belong to the same strongly connected component of G.
To prove the claim, let G1 : : : Gn be the strongly connected components of G, and dene Gi Gj
i i 6= j and there is a path in G from a vertex of Gi to a vertex of Gj . Note that is a strict partial
order it is well known that every such order can be extended to a strict total order that preserves
. Therefore, there exists a permutation i1 : : : in of 1 : : : n such that Gi1 Gi2 : : : Gin .
Now, for all Gik and all vertices A in Gik , let (A) = k . Clearly, satises the above two conditions.
This concludes the proof of the claim.
Now let t and l be arbitrary integers satisfying the assumptions. Consider the function corresponding to DG(t). The rst condition of compatibility with DG(t) (namely, for all edges h A l B i
in DG, (A) (B )) follows immediately from point 1 of the Claim. Suppose that the second
compatibility condition (if l = ; then (A) < (B )) is violated for some edge (A ; B ) then
(A) = (B ) and hence, by point 2 of the Claim, A and B belong to the same strongly connected
component. Therefore, there must be a path from B to A which can be extended to a negative cycle
by means of (A ; B ), contradicting the safeness of T . This proves that is compatible with DG(t),
and hence the existence of t .
We are left to show that tl exists. Let DGtl be the subgraph of DG(t) covering all and only
the vertices in Atl . The function t maps all of these vertices onto the same value l therefore, since
30
T is safe, DGtl contains no negative edges. Obtain a graph DG from DGtl by removing all and
only the variable edges (A v B ) that satisfy one of the following conditions
(a) A = A+ and 6 9B 0 2 Parents(Conicts(A)): M(tl1);1 M(tl1);1 j=t B 0 (b) A = A; and 9A0 2 Parents(Conicts (B )): M(tl1);1 M(tl1);1 j=t A0 .
Note that if (a) (resp. (b)) holds for some edge (A v B ), then (b) (resp. (a)) cannot hold for (B v A),
nor for any (B 00 v A00) with A00 =;g A and B 00 =;g B . It follows that DG cannot contain any pair
of edges (A v B ) and (B 0 v A0) such that A0 =;g A and B 0 =;g B .
Let be a function satisfying the conditions of the Claim wrt DG. Every positive edge (A + B )
with A B 2 Atl belongs to DG by construction therefore, point 1 of the Claim implies that satises the rst condition of the denition of rened stratication wrt M(tl1);1 . Secondly, suppose
that the second of such conditions is violated for some edge (A v B ) that is, A = A+ ,
9B0 2 Parents(Conicts(A)): M(tl1);1 M(tl1);1 j=t B0 (A) <
6 (B) :
(1)
(2)
By (1), (A v B ) is not eliminated and belongs to DG then, by point 1 of the Claim, (A) (B ) consequently, by (2), (A) = (B ) . This implies, by point 2 of the Claim, that DG contains a path
from B to A. By the second safeness condition, such path must contain an edge (B 0 v A0) such that
B 0 =;g B and A0 =;g A . But this is absurd, because as we have already pointed out, DG should
contain at most one of (A v B ) and (B 0 v A0). Therefore, must satisfy the second condition in the
denition of rened stratication. Symmetrically, if the third such condition were violated by then
a contradiction would follow. This proves that is a rened stratication on Atl wrt M(tl1);1 .
Lemma A.1 M "MT " .
Proof. The following claims will be needed. They follow easily from the denition of "IT and (for
Claim 1) from the assumption that T is safe:
Claim 1. We say that two interpretations I and J agree until if for all (t A) with `(t A) ,
(t A) 2 I () (t A) 2 J :
If I and J agree until ; 1 then "IT = "JT .
Claim 2. Restricting T to T restricts the output of "IT , that is, for all triples and all interpretations
I J ,
"IT (J ) "IT (J ) :
Now, in order to prove the theorem, it suces to show that for all (0 0 0),
M "M
T "!:
(3)
By induction on . The base case is trivial since M(000) = . Induction step: suppose that
(3) holds for all 0 < but not for ( > (0 0 0)), and let j be the least integer such that
M ;1
;1
M
M
"M
T " j (M ;1) 6 "T " ! . It must be j > 0, because "T " 0(M ;1) = M ;1 "T " ! (by
31
induction hypothesis). But then
;1
"M
T " j (M ;1) =
;1 M ;1
= M ;1 "M
T ("T " j ; 1(M ;1)) by denition
M ;1
= M ;1 "M
by Claim 1 { note that M and M ;1 agree until ; 1
T ("T " j ; 1(M ;1))
by construction.
M
;
1
M
M ;1 "T ("T " j ; 1(M ;1)) by Claim 2
M ;1 "MT ("MT " !)
by minimality of j and monotonicity of "M
T
M
M
= M ;1 "T " ! = "T " !
by Prop. 4.1 and induction hypothesis.
A contradiction.
Proposition A.1 Given a stratied HTAB T , consider the iterative construction of the model M .
Any time, in the construction, the validity of a negated authorization :A+ , at a time instant t, is
;1
+
checked with respect to two interpretations "M
T " k and M ;1, it is the case that `(t A ) < .
Proof.
It is immediate from the denition of the iterative process.
Lemma A.2 If T is a stratied HTAB, and, for some k < !, M M ;1 j=t L, for any authorization
literal L, then for any " > , it holds that M " M ";1 j=t L.
Proof. The lemma follows from the denition of stratication, the monotonicity of the sequence
M0 M1 : : : M , and Proposition A.1.
Corollary A.1 If T is a stratied HTAB, and M M ;1 j=t F , where F is any conjunction of
";1
authorization literals, then for any " > , for any k < ! , it holds that "M
T " " k(M ";1) M ";1 j=t
F.
Lemma A.3 "MT " M .
Proof. By induction on . Base: = 0. "MT " = M: Inductive hypothesis: (t0 B) 2 "MT "
; 1 ) (t0 B ) 2 M , for any authorization B We prove that (t A) 2 "M
T " ) (t A) 2 M , for any
authorization A. Let = `(t A) in the considered dynamic stratication of T . By cases on the rule
applied to derive (t A) in "M
T " .
rule A (TI P A) 2 T , and t 2 Sol(TI P ). (TI P A) 2 T (denition of stratication), and then
;1
(t A) 2 "M
T " 1(M ;1) (by denition of the operator ", therefore (t A) 2 M M .
rule B (TI P A whenever F ) 2 T , t 2 Sol(TI P ), and "MT " ; 1 M j=t F .
Let F = :B1 : : : :Bn C1 : : : Cm.
We prove that there exists k ! such that
;1
"M
T " k(M ;1 ) M ;1 j=t F .
In particular, we prove that there exists k ! such that
;1
"M
T " k(M ;1 ) M ;1 j=t :Bi , for all 1 i n, and
;1
"M
T " k(M ;1 ) M ;1 j=t Cj , for all 1 j m.
Consider any Bi .
"M
T " ; 1 M j=t :Bi , from the hypothesis.
32
If Bi = Bi+ , then either (i) (t Bi) 62 M , or (ii) 9D; 2 Conicts(Bi ) such that (t D;) 2
"M
T " ; 1.
In the rst case, (t Bi ) 62 M ;1 (since M ;1 M , by construction).
;
In the second case (t D; ) 2 "M
T " ; 1 ) (t D ) 2 M (inductive hypothesis) )
(t D;) 2 M 0 , being 0 = `(t D; ) (from the stratication of T ).
D; 2 Conicts(Bi ) ) 9(D; + A) 2 DGT (t), and then t(D;) t(A) (denition of
stratication). Similarly,
D; 2 Conicts(Bi ) ) 9(D; v Bi) 2 DGT (t), and 9(Bi v D;) 2 DGT (t), and then
t (D; ) = t (Bi ).
Being t (Bi ) < t(A) (stratication), we can conclude that t (D; ) < t (A), and then
0 = `(t D; ) < `(t A) = . Therefore, (t D;) 2 M ;1 .
In both cases (i) and (ii), for any k < ! , it holds that
;1
"M
T " k(M ;1 ) M ;1 j=t :Bi .
If Bi = Bi; , it must be "MT " ; 1 M j=t :Bi, and then (t Bi) 62 M . As a consequence,
(t Bi) 62 M ;1, which proves that
;1
"M
T " k(M ;1 ) M ;1 j=t :Bi .
Consider any Cj .
If Cj = Cj+ , "MT " ;1 M j=t Cj ) (t Cj ) 2 "MT " ;1, and 8D; 2 Conicts(Cj ) (t D;) 62
M (denition of validity).
(t Cj ) 2 "M
T " ; 1 ) (t Cj ) 2 M (inductive hypothesis) ) (t Cj ) 2 M 0 , with
0
= `(t Cj ) 0 (stratication of T ) ) (t Cj ) 2 M .
;1
This proves that there exists k1 < ! such that (t Cj ) 2 "M
T " k1(M ;1 ).
;1
Besides, (t D;) 62 M ) (t D; ) 62 M ;1 , and therefore "M
T " k1(M ;1) M ;1 j=t Cj .
If Cj = Cj; , it must be that (t Cj ) 2 "MT " ; 1.
Reasoning as in the previous case we can conclude that there exists k2 < ! such that
;1
"M
T " k2(M ;1 ) M ;1 j=t Cj .
;1
Globally, we can conclude that there exists k(= max(k1 k2)) such that "M
T " k(M ;1 ) M ;1 j=t
F , and then, by denition of the " operator,
;1
(t A) 2 "M
T " k + 1(M ;1) M .
rule C (TI P A upon F ) 2 T , t 2 Sol(TI P ), and 9t0 2 Sol(TI P ) such that t0 t, and "MT "
; 1 M j=t0 F .
If t0 = t, this case reduces to the previous one (rule B ).
If t0 < t, let 0 = `(t0 A).
;1
0
0 < ) "M
T " k(M ;1 ) M ;1 j=t F ,
(Corollary A.1) and then (t A) 2 M , by denition of the immediate consequence operator.
rule D (TI P A aslongas F ) 2 T , t 2 Sol(TI P ), and 8t0 2 Sol(TI P ) such that t0 t, "MT "
; 1 M j=t0 F .
If t0 = t is the only t0 2 Sol(TI P ) such that t0 t, this proof reduces to the case of rule B.
33
0 ;1
0
0
Otherwise, for any t0 < t, let 0 = `(t0 A). "M
T 0 " k(M 0 ;1 ) M 0;1 j=t F ) M 0 M 0;1 j=t
F.
;1
0
Since 0 < it holds that for any k < ! , "M
T " k(M ;1) M ;1 j=t F , by corollary A.1, and
then (t A) 2 M , by denition of the immediate consequence operator.
rule E 9A1 2 Parents(A) such that
"MT " ( ; 1) M j=t A1.
;1
We prove that there exists k < ! such that "M
T " k(M ;1 ) M ;1 j=t A1,
Let A = A+1 .
+
+
+
M
;
;
"M
T " ( ; 1) M j=t A1 ) (t A1 ) 2 "T " ; 1 and 8B 2 Conicts (A1 )(t B ) 62 M ,
by denition of validity.
+
(t A+1 ) 2 "M
T " ; 1 ) (t A1 ) 2 M (inductive hypothesis) ) (t A1) 2 M1 , where
+
1 = `(t A1 ). Since A1 2 Parents(A) ) 1 < (by denition of stratication), and then
;1
(t A+1 ) 2 "M
T " 0.
Besides, 8B ; 2 Conicts(A+1 )(t B ; ) 62 M ) (t B ; ) 62 M ;1 (monotonicity). Therefore,
+
;1
"M
T " 0(M ;1) M ;1 j=t A1 ,
If A = A; , the proof is analogous to the rst part of the above case.
8A2 2 Conicts(A) (t A2) 62 M . Therefore (t A2) 62 M ;1 (monotonicity).
if A = A+ , then 8A3 2 Parents(Conicts(A)) "MT " ( ; 1) M j=t :A3 .
By denition of validity, it must be (t A3) 62 M , and then (t A3) 62 M ;1 (monotonicity).
Therefore, M ;1 M ;1 j=t A3.
Thus, it is proved that (t A) 2 M .
Theorem 4.2 M is the unique stable model of T .
Proof. M is a stable model of T by lemmas A.1 and A.3. To prove uniqueness, let N be any stable
model of T . Suppose that N =
6 M and let be the maximal such that N and M agree until . It
suces to show that for all i, "NT " i and "M
T " i agree until + 1 , which implies, by def. of stable
model, that M and N agree until + 1 and hence a contradiction.
The proof is by induction on i. The base case is trivial. For the induction step, note that since
T is safe, the membership of an arbitrary (t A) with `(t A) + 1 to "NT " i depends only on
conditions of the following form:
1. (t0 A0) 2 "NT " i ; 1 , where `(t0 A0) + 1 2. (t00 A00) 62 N , where `(t00 A00) .
By induction hypothesis, "NT " i ; 1 and "M
T " i ; 1 agree until +1 , therefore N can be equivalently
replaced by M in point 1 moreover, since N and M agree until by assumption, N can be equivalently replaced by M in point 2. It follows immediately that (t A) 2 "NT " i implies (t A) 2 "M
T " i.
The opposite implication can be proved symmetrically. This completes the proof.
34