This Article 
 Bibliographic References 
 Add to: 
A Temporal Access Control Mechanism for Database Systems
February 1996 (vol. 8 no. 1)
pp. 67-80

Abstract—This paper presents a discretionary access control model in which authorizations contain temporal intervals of validity. An authorization is automatically revoked when the associated temporal interval expires. The proposed model provides rules for the automatic derivation of new authorizations from those explicitly specified. Both positive and negative authorizations are supported. A formal definition of those concepts is presented in the paper, together with the semantic interpretation of authorizations and derivation rules as clauses of a general logic program. Issues deriving from the presence of negative authorizations are discussed. We also allow negation in rules: it is possible to derive new authorizations on the basis of the absence of other authorizations. The presence of this type of rules may lead to the generation of different sets of authorizations, depending on the evaluation order. An approach is presented, based on establishing an ordering among authorizations and derivation rules, which guarantees a unique set of valid authorizations. Moreover, we give an algorithm detecting whether such an ordering can be established for a given set of authorizations and rules. Administrative operations for adding, removing, or modifying authorizations and derivation rules are presented and efficiency issues related to these operations are also tackled in the paper. A materialization approach is proposed, allowing to efficiently perform access control.

[1] M. Abadi,M. Burrows,B.W. Lampson, and G. Plotkin,"A calculus for access control in distributed systems," ACM Trans. Programming Languages and Systems, vol. 15, no. 4, pp. 706-734, Sept. 1993.
[2] M. Baudinet,M. Niézette, and P. Wolper,"On the representation of infinite temporal data and queries (extended abstract)," Proc. ACM Symp. Principles of Database Systems, pp. 280-290,Denver, May 1991.
[3] E. Bertino,C. Bettini,E. Ferrari, and P. Samarati,"A temporal access control model for database systems," Technical Report 137-95, DSI-Univ. of Milano, 1995.
[4] E. Bertino,C. Bettini, and P. Samarati,"A temporal authorization model," Proc. Second ACM Conf. Computer and Communications Security, pp. 126-135,Fairfax,Va., Nov. 1994.
[5] E. Bertino,P. Samarati, and S. Jajodia,"Authorizations in relational database management systems," Proc. First ACM Conf. Computer and Comm. Security,Fairfax, Va., Nov. 1993.
[6] S. Ceri and J. Widom,"Deriving production rules for incremental view maintenance," Proc. 17th VLDB, pp. 735-749,Barcelona, 1991.
[7] M. Gelfond and V. Lifschitz,"The stable model semantics for logic programming," Proc. Fifth Int'l Conf. Logic Programming, R. Kowalski and K. Bowen, eds., pp. 1,070-1,080,Cambridge, Mass.: MIT Press, 1988.
[8] I.S. Gupta,A. Mumick, and V.S. Subrahmanian,"Maintaining views incrementally," Proc. ACM SIGMOD Int'l Conf. Management of Data, pp. 157-166,Portland, Ore., May 1993.
[9] W.T. Maimone and I.B. Greenberg,"Single-level multiversion schedulers for multilevel secure database systems," Proc. Sixth Ann. Computer Security Applications Conf., pp. 137-147,Tucson, Ariz., Dec. 1990.
[10] J.G. Steiner,C. Neuman, and J.I. Schiller,"Kerberos: An authentication service for open network systems," USENIX Conf. Proc., pp. 191-202,Dallas, Winter 1988.
[11] R.K. Thomas and R.S. Sandhu,"Discretionary access control in object-oriented databases: Issues and research directions," Proc. 16th Nat'l Computer Security Conf., pp. 63-74,Baltimore, Sept. 1993.
[12] A. van Gelder,K. Ross, and J.S. Schlipf,"The well-founded semantics for general logic programs," J. ACM, vol. 38, no. 3, pp. 620-650, July 1991.
[13] T.Y.C. Woo and S.S. Lam,"Authorizations in distributed systems: A new approach," J. Computer Security, vol. 2, nos. 2-3, pp. 107-136, 1993.

Index Terms:
Database security, temporal authorization, database management, temporal reasoning, general logic programs, access control.
Elisa Bertino, Claudio Bettini, Elena Ferrari, Pierangela Samarati, "A Temporal Access Control Mechanism for Database Systems," IEEE Transactions on Knowledge and Data Engineering, vol. 8, no. 1, pp. 67-80, Feb. 1996, doi:10.1109/69.485637
Usage of this product signifies your acceptance of the Terms of Use.