A Framework for Enforcing Constrained RBAC Policies

Constraints are an important part of role-based access control policies. The safety or security of a system is maintained by enforcing constraints that are specified in the policy. In order to decide whether an access request is authorized, existing constraint enforcement mechanisms perform both authorization checking, which verifies that the requested operation is sufficiently authorized, and constraint checking, which checks whether permitting the operation would violate any constraint. The decision functions of large-scale systems, where hundreds of requests arise concurrently, require relatively simple decision-making algorithms. Performing constraint checking when deciding whether an access request is authorized introduces an additional overhead. In this paper, we describe a new framework for enforcing constraints that only requires us to perform authorization checking when deciding an access request. Essentially, we transform the constraint checking problem into an authorization checking problem by modifying authorization state following the success of an access request.