Function-Based Authorization Constraints Specification and Enforcement

Constraints are an important aspect of role-based access control (RBAC) and its different extensions. They are often regarded as one of the principal motivation behind these access control models. In this paper, we introduce two novel authorization constraint specification schemes named as prohibition constraint scheme and obligation constraint scheme. Both of them can be used for expressing and enforcing authorization constraints. These schemes strongly bind to authorization entity set functions and authorization entity relation functions, so they can provide the system designers a clear view about which functions should be defined in an authorization constraint system. Based on these functions, different kinds of constraint schemes can be easily defined. The security administrators can use these functions to create constraint schemes for their day-to-day operations. The constraint system can be scalable through defining new functions. This approach goes beyond the well known separation of duty constraints, and considers many aspects of entity relation constraints.