Extended Provision-Based Access Control Model

Over the years, a wide variety of access control models and policies have been proposed and almost all models have assumed "grant the access request or deny it". The notation of provisional action which have been proposed, tells the user that her/his request will be authorized provided he/she (and/or the system) performs certain security actions e.g. encryption in file transfer and etc. The major advantage of this approach is that arbitrary actions such as cryptographic operations can all coexist in the access control policy rules. Although this approach has many advantages but it fails in some circumstances and needs new facilities and capabilities to overcome them. PBAC model lacks active/passive roles concept so we define a new concept named session. A user can initiate a session by activating some of the roles and groups in a period of time, under certain conditions. In addition, the other new concepts such as constraints on role assignments, avoiding conflicting permissions, limiting the grant of permissions to some specific roles rather than a normal user, and etc. have been added to the original PBAC model in a formal manner.