Abstract :
Dynamically monitoring the state changes of an underlying system, detecting and reacting to changes without delay are crucial for the success of any access control enforcement mechanism. With their inherent nature, active (Event- Condition-Action or ECA) rules are prospective candidates to carry out change detection and to provide access control. Current systems or models do not provide a flexible mechanism for enforcing Role-Based Access Control (RBAC) standard and its extensions in a seamless way, and do not adapt to policy or role structure changes in enterprises, which are indispensable to make RBAC usable in diverse domains. In this paper we will show how On-When-Then-Else authorization rules (or enhanced ECA rules) are used for enforcing RBAC standard and its extensions such as generalized temporal RBAC, control flow dependency constraints, privacy-aware RBAC, and so forth in a seamless way. Furthermore, these rules also provide active security. Large enterprises have hundreds of roles, which requires thousands of rules for providing access control, and generating these rules manually is error-prone and a cognitive-burden for non-computer specialists. Thus, in this paper, we will discuss briefly how these authorization rules can be automatically (or semi-automatically) generated from high level specifications of enterprise access control policies. We will also discuss the implementation using Sentinel+, an active object oriented system.
