We introduce the RT framework, a family of Rolebased Trust-management languages for representing policies and credentials in distributed authorization. RT combines the strengths of role-based access control and trustmanagement systems and is especially suitable for attributebased access control. Using a few simple credential forms, RT provides localized authority over roles, delegation in role definition, linked roles, and parameterized roles. RT also introduces manifold roles, which can be used to express threshold and separation-of-duty policies, and delegation of role activations. We formally define the semantics of credentials in the RT framework by presenting a translation from credentials to Datalog rules. This translation also shows that this semantics is algorithmically tractable. 1

We study the specification of access control policy in large-scale distributed systems. We present Cassandra, a language and system for expressing policy, and the results of a substantial case study, a security policy for a national Electronic Health Record system, based on the requirements for the ongoing UK National Health Service procurement exercise. Cassandra policies are expressed in a language based on Datalog with constraints. The expressiveness of the language (and its computational complexity) can be tuned by choosing an appropriate constraint domain. Cassandra is role-based; it supports credential-based access control (e.g. between administrative domains); and rules can refer to remote policies (for automatic credential retrieval and trust negotiation). Moreover, the policy language is small, and it has a formal semantics for query evaluation and for the access control engine. For the case study we choose a constraint domain C0 that is sufficiently expressive to encode many policy idioms. The case study turns out to require many subtle variants of these; it is important to express this variety smoothly, rather than add them as ad hoc features. By ensuring only a constraint compact fragment of C0 is used, we guarantee a finite and computable fixed-point model. We use a top-down evaluation algorithm, for efficiency and to guarantee termination. The case study (with some 310 rules and 58 roles) demonstrates that this language is expressive enough for a realworld application; preliminary results suggest that the performance should be acceptable. 1.

We discuss the integration of contextual information with teambased access control. The TMAC model was formulated by Thomas in [1] to provide access control for collaborative activity best accomplished by teams of users. In TMAC, access control revolves around teams, where a "team" is an abstraction that encapsulates a collection of users in specific roles and collaborating with the objective of accomplishing a specific task or goal. Users who belong to a team are given access to resources used by a team. However, the effective permissions of a user are always derived from permission types defined for roles that the user belongs to. TMAC is an example of what we call "active security models". These models are aware of the context associated with an ongoing activity in providing access control and thus distinguish the passive concept of permission assignment from the active concept of context-based permission activation. The ability to integrate contextual information allows models such as TMAC to be flexible and express a variety of access policies that can provide tight and just-in-time permission activation.

We present a declarative authorization language that strikes a careful balance between syntactic and semantic simplicity, policy expressiveness, and execution efficiency. The syntax is close to natural language, and the semantics consists of just three deduction rules. The language can express many common policy idioms using constraints, controlled delegation, recursive predicates, and negated queries. We describe an execution strategy based on translation to Datalog with Constraints, and table-based resolution. We show that this execution strategy is sound, complete, and always terminates, despite recursion and negation, as long as simple syntactic conditions are met.

OASIS is a role-based access control architecture for achieving secure interoperation of independently managed services in an open, distributed environment. OASIS differs from other RBAC schemes in a number of ways: role management is decentralised, roles are parametrised, and privileges are not delegated. OASIS depends on an active middleware platform to notify services of any relevant changes in their environment. Services define roles and establish formally specified policy for role activation and service use; users must present the required credentials and satisfy specified constraints in order to activate a role or invoke a service. The membership rule of a role indicates which of the role activation conditions must remain true while the role is active. A role is deactivated immediately if any of the conditions of the membership rule associated with its activation become false. Instead of privilege delegation OASIS introduces the notion of appointment, whereby being active in certain roles carries the privilege of issuing appointment certificates to other users. Appointment certificates capture the notion of long lived credentials such as academic and professional qualification or membership of an organisation. The role activation conditions of a service may include appointment certificates, prerequisite roles and environmental constraints. We define the model and architecture and discuss engineering details, including security issues. We illustrate how an OASIS session can span multiple domains, and discuss how it can be used in a global environment where roving principals, in possession of appointment certificates, encounter and wish to use services. We propose a minimal infrastructure to enable widely distributed, independently developed services to enter into agreements to respect each other's credentials. We speculate on a further extension to mutually unknown, and therefore untrusted, parties. Each party will accumulate audit certificates which embody its interaction history and which may form the basis of a web of trust.

After a short period of being not much more than a curiosity, the World-Wide Web quickly became an important medium for discussion, commerce, and business. Instead of holding just information that the entire world could see, web pages also became used to access email, financial records, and other personal or proprietary data that was meant to be viewed only by particular individuals or groups. This made it necessary to design mechanisms that would restrict access to web pages. Unfortunately, most current mechanisms are lacking in generality and flexibility---they interoperate poorly and can express only a limited number of security policies.

this paper appeared in the Proceedings of the 8th ACM Symposium on Access Control Models and Technologies (SACMAT 2003)

The Role Based Access Control (RBAC) model and mechanism have proven to be useful and effective. This is clear from the many RBAC implementations in commercial products. However, there are many common examples where access decisions must include other factors, in particular, relationships between entities, such as, the user, the object to be accessed, and the subject of the information contained within the object. Such relationships are often not efficiently represented using traditional static security attributes centrally administered. Furthermore, the extension of RBAC models to include relationships obscures the fundamental RBAC metaphor. This paper furthers the concept of relationships for use in access control, and it shows how relationships can be supported in role based access decisions by using the Object Management Group's (OMG) Resource Access Decision facility (RAD). This facility allows relationship information, which can dynamically change as part of normal application p...

OASIS is a role-based access control architecture for achieving secure interoperation of services in an open, distributed environment. Services define roles and implement formally specified policy for role activation and service use; users must present the required credentials, in the specified context, in order to activate a role or invoke a service. Roles are activated for the duration of a session only. In addition, a role is deactivated immediately if any of the conditions of the membership rule associated with its activation becomes false. OASIS does not use role delegation but instead defines the notion of appointment, whereby a user in some role may issue an appointment certificate to some other user. The role activation conditions of services may include appointment certificates, prerequisite roles and environmental constraints. We motivate our approach and formalise OASIS. First, a basic model is presented followed by an extended model which includes parameterisation.

This paper presents an approach that uses special purpose RBAC constraints to base certain access control decisions on context information. In our approach a context constraint is defined as a dynamic RBAC constraint that checks the actual values of one or more contextual attributes for predefined conditions. If these conditions are satisfied, the corresponding access request can be permitted. Accordingly, a conditional permission is an RBAC permission which is constrained by one or more context constraints. We present an engineering process for context constraints, that is based on goal-oriented requirements engineering techniques, and describe how we extended the design and implementation of an existing RBAC service to enable the enforcement of context constraints. With our approach we aim to preserve the advantages of RBAC, and o#er an additional means for the definition and enforcement of fine-grained context-dependent access control policies.