We present a declarative authorization language that strikes a careful balance between syntactic and semantic simplicity, policy expressiveness, and execution efficiency. The syntax is close to natural language, and the semantics consists of just three deduction rules. The language can express many common policy idioms using constraints, controlled delegation, recursive predicates, and negated queries. We describe an execution strategy based on translation to Datalog with Constraints, and table-based resolution. We show that this execution strategy is sound, complete, and always terminates, despite recursion and negation, as long as simple syntactic conditions are met.

By using or providing feedback on the SecPAL Specification (comprised of the SecPAL formal model, SecPAL Schema Specification, and SecPAL Schema) (“Specification”), you agree to the following terms and conditions: • Microsoft hereby grants you permission to copy and review the Specification (a) as a reference to assist you in planning and designing your implementation of the Specification and (b) to provide feedback on the Specification to Microsoft. You may not modify, create derivative works from, subset, or extend the Specification. • Provided that you comply with all the terms of use for the Specification, Microsoft agrees to grant you a royalty-free license under reasonable and non-discriminatory terms and conditions to Microsoft patents that Microsoft deems necessary to implement the Specification. You must comply with and implement all normative portions of the Specification in its entirety; you may not elect to implement only portions of the Specification. Unless otherwise specifically mentioned all sections of the Specification should be considered normative. • You have no obligation to give Microsoft any suggestions, comments or other feedback (“Feedback”) relating to the Specification. If you do give Microsoft Feedback on the Specification, You agree: (a) Microsoft may freely use, reproduce, license, distribute, and otherwise commercialize Your Feedback in any Microsoft product or service offering; (b) you also grant third parties, without charge, only those patent rights necessary to implement those portions of the Specification that incorporate your Feedback; and (c) you will not give Microsoft any Feedback (i) that you have reason to believe is subject to any patent, copyright or other intellectual property claim or right of any third party; or (ii) subject to license terms which seek to require any Microsoft product offering incorporating or derived from such Feedback, or other Microsoft intellectual property, to be licensed to or otherwise shared with any third party.

Role-Based Access Control (RBAC) is a widely used model for expressing access control policies. In large organizations, the RBAC policy may be collectively managed by many administrators. Administrative RBAC (ARBAC) is a model for expressing the authority of administrators, thereby specifying how an organization’s RBAC policy may change. Changes by one administrator may interact in unintended ways with changes by other administrators. Consequently, the effect of an ARBAC policy is hard to understand by simple inspection. In this paper, we consider the problem of analyzing ARBAC policies, in particular to determine reachability properties (e.g., whether a user can eventually be assigned to a role by a group of administrators) and availability properties (e.g., whether a user cannot be removed from a role by a group of administrators) implied by a policy. We first establish the connection between security policy analysis and planning in Artificial Intelligence. Based partly on this connection, we show that reachability analysis for ARBAC is PSPACE-complete. We also give algorithms and complexity results for reachability and related analysis problems for several categories of AR-BAC policies, defined by simple restrictions on the policy language. 1.

In this paper we present a context-aware RBAC (CA-RBAC) model for pervasive computing applications. The design of this model has been guided by the context-based access control requirements of such applications. These requirements are related to users ’ memberships in roles, permission executions by role members, and context-based dynamic integration of services in the environment with an application. Context information is used in role admission policies, in policies related to permission executions by role members, and in policies related to accessing of dynamically interfaced services by role members. The dynamic nature of context information requires model-level support for revocations of role memberships and permission activations when certain context conditions fail to hold. Based on this model we present a programming framework for building contextaware applications, providing mechanisms for specifying and enforcing context-based access control requirements.

In healthcare, role-based access control systems are often extended with exception mechanisms to ensure access to needed informationeven when the needs don’t follow the expected patterns. Exception mechanisms increase the threats to patient privacy, and therefore their use should be limited and subject to auditing. We have studied access logs from a hospital EPR system with extensive use of exception-based access control. We found that the uses of the exception mechanisms were too frequent and widespread to be considered exceptions. The huge size of the log and the use of predefined or uninformative reasons for access make it infeasible to audit the log for misuse. The informative reasons that were given provided starting points for requirements on how the usage needs should be accomplished without exceptionbased access. With more structured and fine-grained logging, analysis of access logs could be a very useful tool for learning how to reduce the need for exception-based access.

Role based access control (RBAC) is a widely used access control paradigm. In large organizations, the RBAC policy is managed by multiple administrators. An administrative role based access control (ARBAC) policy specifies how each administrator may change the RBAC policy. It is often difficult to fully understand the effect of an ARBAC policy by simple inspection, because sequences of changes by different administrators may interact in unexpected ways. ARBAC policy analysis algorithms can help by answering questions, such as user-role reachability, which asks whether a given user can be assigned to given roles by given administrators. Allowing roles and permissions to have parameters significantly enhances the scalability, flexibility, and expressiveness of ARBAC policies. This paper defines PARBAC, which extends the classic ARBAC97 model to support parameters, and presents an analysis algorithm for PARBAC. To the best of our knowledge, this is the first analysis algorithm specifically for parameterized ARBAC policies. We evaluate its efficiency by analyzing its parameterized complexity and benchmarking it on case studies and synthetic policies.

Abstract—Developing context-aware applications is a tedious task which requires interfacing with different kinds of environmental sensors, new programming models, and extensive middleware support in the form resource discovery services, context management services, and context-based authorization services. We have developed a programming framework for building context-aware applications from their high-level design speci£cations. In this paper we show how this programming framework can be effectively used to build context-aware applications in the medical domain. I.

Abstract not found

year = {2008}, editor = {Daniel Schwabe and Francisco Curbera}, address = {Yorktown Heights, New York, USA}, month = {July}, publisher = {IEEE}, pubcat = {conference}, project = {MoDSE and ASSESS and WebDSL and Stratego}

I am deeply indebted to my advisor Prof. Anand Tripathi for providing the vision for this project. Without his continuous support, and patience, this task would have become impossible. Everything that I have learned over these years is because of my close interactions with him while working on the various projects in the group. It has been absolutely priceless. My parents encouraged me to take up this challenge, and were by my side during the difficult periods. Aai and Baba, it is because of you that I have reached this stage. Special thanks go to Tanvir Ahmed. He helped me get started on the middleware during the early stages of this thesis. I want to thank the committee members, Prof. David Lilja, Prof. Eric Van Wyk, and Prof. Abhishek Chandra for serving on my committee. It would have been impossible to work on this thesis without the financial support provided