• Publication
  • PrePrints
  • Abstract - Abductive Analysis of Administrative Policies in Rule-based Access Control
 This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Puneet Gupta, Google, Inc., Mountain View
Scott D. Stoller, Stony Brook University, Stony Brook
Zhongyuan Xu, Stony Brook University, Stony Brook
In large organizations, access control policies are managed by multiple users (administrators). An administrative policy specifies how each user in an enterprise may change the policy. Fully understanding the consequences of an administrative policy in an enterprise system can be difficult, because of the scale and complexity of the access control policy and the administrative policy, and because sequences of changes by different users may interact in unexpected ways. Administrative policy analysis helps by answering questions such as user-permission reachability, which asks whether specified users can together change the policy in a way that achieves a specified goal, namely, granting a specified permission to a specified user. This paper presents a rule-based access control policy language, a rule-based administrative policy model that controls addition and removal of facts and rules, and an abductive analysis algorithm for user-permission reachability. Abductive analysis means that the algorithm can analyze policy rules even if the facts initially in the policy (e.g., information about users) are unavailable. The algorithm does this by computing minimal sets of facts that, if present in the initial policy, imply reachability of the goal.
Index Terms:
Access control,Algorithm design and analysis,Semantics,Hospitals,Grammar,Organizations,Verification,Access controls
Citation:
Puneet Gupta, Scott D. Stoller, Zhongyuan Xu, "Abductive Analysis of Administrative Policies in Rule-based Access Control," IEEE Transactions on Dependable and Secure Computing, 28 Feb. 2014. IEEE computer Society Digital Library. IEEE Computer Society, <http://doi.ieeecomputersociety.org/10.1109/TDSC.2013.42>
Usage of this product signifies your acceptance of the Terms of Use.