skip to main content
10.1145/1998441.1998473acmconferencesArticle/Chapter ViewAbstractPublication PagessacmatConference Proceedingsconference-collections
research-article

On the management of user obligations

Authors Info & Claims
Published:15 June 2011Publication History

ABSTRACT

This paper is part of a project investigating authorization systems that assign obligations to users. We are particularly interested in obligations that require authorization to be performed and that, when performed, may modify the authorization state. In this context, a user may incur an obligation she is unauthorized to perform. Prior work has introduced a property of the authorization system state that ensures users will be authorized to fulfill their obligations. We call this property accountability because users that fail to perform authorized obligations are accountable for their non-performance. While a reference monitor can mitigate violations of accountability, it cannot prevent them entirely. This paper presents techniques to be used by obligation system managers to restore accountability. We introduce several notions of dependence among pending obligations that must be considered in this process. We also introduce a novel notion we call obligation pool slicing, owing to its similarity to program slicing. An obligation pool slice identifies a set of obligations that the administrator may need to consider when applying strategies proposed here for restoring accountability. The paper also presents the system architecture of an authorization system that incorporates obligations that can require and affect authorizations.

References

  1. A Framework for Enforcing User Obligations. Technical Report CS-TR-2011-001. The University of Texas at San Antonio.Google ScholarGoogle Scholar
  2. M. Ali, L. Bussard, and U. Pinsdorf. Obligation Language and Framework to Enable Privacy-Aware SOA. In Data Privacy Management and Autonomous Spontaneous Security, volume 5939 of Lecture Notes in Computer Science, pages 18--32. Springer Berlin, Heidelberg, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. M. Casassa and F. Beato. On Parametric Obligation Policies: Enabling Privacy-Aware Information Lifecycle Management in Enterprises. In Policies for Distributed Systems and Networks., pages 51 --55, jun. 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. D. J. Dougherty, K. Fisler, and S. Krishnamurthi. Obligations and their interaction with programs. In Proceedings of the 12th European Symposium On Research In Computer Security, Dresden, Germany, September 24--26, Proceedings, pages 375--389, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. M. P. Gallaher, A. C. Oconnor, and B. Kropp. The Economic Impact of Role-Based Access Control, March 2002. Available at http://www.nist.gov/director/prog-ofc/report02--1.pdf.Google ScholarGoogle Scholar
  6. P. Gama and P. Ferreira. Obligation policies: An enforcement platform. In 6th IEEE International Workshop on Policies for Distributed Systems and Networks, Stockholm, Sweden, June 2005. IEEE Computer Society. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. M. Hilty, A. Pretschner, D. Basin, C. Schaefer, and T. Walter. A policy language for distributed usage control. In J. Biskup and J. Lopez, editors, Computer Security - ESORICS 2007, volume 4734 of Lecture Notes in Computer Science, pages 531--546. Springer Berlin, Heidelberg, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. K. Irwin, T. Yu, and W. H. Winsborough. On the modeling and analysis of obligations. In Proceedings of the 13th ACM conference on Computer and communications security, pages 134--143, New York, NY, USA, 2006. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. K. Irwin, T. Yu, and W. H. Winsborough. Assigning responsibilities for failed obligations. In IFIPTM Joined iTrust and PST Conference on Privacy, Trust Management and Security, pages 327--342. Springer Boston, 2008.Google ScholarGoogle Scholar
  10. B. Katt, X. Zhang, R. Breu, M. Hafner, and J.-P. Seifert. A general obligation model and continuity: enhanced policy enforcement engine for usage control. In Proceedings of the 13th ACM symposium on Access control models and technologies, pages 123--132, New York, NY, USA, 2008. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. N. H. Minsky and A. D. Lockman. Ensuring integrity by adding obligations to privileges. In Proceedings of the 8th international conference on Software engineering, pages 92--102, Los Alamitos, CA, USA, 1985. IEEE Computer Society Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Q. Ni, E. Bertino, and J. Lobo. An obligation model bridging access control policies and privacy policies. In Proceedings of the 13th ACM symposium on Access control models and technologies, pages 133--142, New York, NY, USA, 2008. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Q. Ni, A. Trombetta, E. Bertino, and J. Lobo. Privacy-aware role based access control. In Proceedings of the 12th ACM symposium on Access control models and technologies, pages 41--50, New York, NY, USA, 2007. ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. J. Park and R. Sandhu. The uconabc usage control model. ACM Trans. Inf. Syst. Secur., 7(1):128--174, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. M. Pontual, O. Chowdhury, W. Winsborough, T. Yu, and K. Irwin. Toward Practical Authorization Dependent User Obligation Systems. In Proceedings of the 5th International Symposium on ACM Symposium on Information, Computer and Communications Security, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. M. Pontual, K. Irwin, O. Chowdhury, W. H. Winsborough, and T. Yu. Failure feedback for user obligation systems. In The Second IEEE International Conference on Information Privacy, Security, Risk and Trust, pages 713 --720, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. R. S. Sandhu, V. Bhamidipati, and Q. Munawer. The ARBAC97 model for role-based aministration of roles. ACM Transactions on Information and Systems Security, 2(1):105--135, Feb. 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. A. Sasturkar, A. Yang, S. D. Stoller, and C. Ramakrishnan. Policy analysis for administrative role based access control. volume 0, pages 124--138, Los Alamitos, CA, USA, 2006. IEEE Computer Society. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. V. Swarup, L. Seligman, and A. Rosenthal. A data sharing agreement framework. In Information Systems Security, Second International Conference, Kolkata, India, December 19--21, Proceedings, pages 22--36, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. M. Weiser. Program slicing. In Proceedings of the 5th international conference on Software engineering, pages 439--449, Piscataway, NJ, USA, 1981. IEEE Press. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. On the management of user obligations

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in
    • Published in

      cover image ACM Conferences
      SACMAT '11: Proceedings of the 16th ACM symposium on Access control models and technologies
      June 2011
      196 pages
      ISBN:9781450306881
      DOI:10.1145/1998441

      Copyright © 2011 ACM

      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 15 June 2011

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • research-article

      Acceptance Rates

      Overall Acceptance Rate177of597submissions,30%

      Upcoming Conference

      SACMAT 2024

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader