Unification: a multidisciplinary survey
ACM Computing Surveys (CSUR)
Authentication in distributed systems: theory and practice
ACM Transactions on Computer Systems (TOCS)
A calculus for access control in distributed systems
ACM Transactions on Programming Languages and Systems (TOPLAS)
A temporal authorization model
CCS '94 Proceedings of the 2nd ACM Conference on Computer and communications security
Tabled evaluation with delaying for general logic programs
Journal of the ACM (JACM)
Reconciling role based management and role based access control
RBAC '97 Proceedings of the second ACM workshop on Role-based access control
Role templates for content-based access control
RBAC '97 Proceedings of the second ACM workshop on Role-based access control
A security architecture for computational grids
CCS '98 Proceedings of the 5th ACM conference on Computer and communications security
An access control model supporting periodicity constraints and temporal reasoning
ACM Transactions on Database Systems (TODS)
On SDSI's linked local name spaces
Journal of Computer Security
An Efficient Unification Algorithm
ACM Transactions on Programming Languages and Systems (TOPLAS)
A logical framework for reasoning about access control models
SACMAT '01 Proceedings of the sixth ACM symposium on Access control models and technologies
Flexible support for multiple access control policies
ACM Transactions on Database Systems (TODS)
Introduction to constraint databases
Introduction to constraint databases
Foundations of Databases: The Logical Level
Foundations of Databases: The Logical Level
What You Always Wanted to Know About Datalog (And Never Dared to Ask)
IEEE Transactions on Knowledge and Data Engineering
OLD Resolution with Tabulation
Proceedings of the Third International Conference on Logic Programming
DATALOG with Constraints: A Foundation for Trust Management Languages
PADL '03 Proceedings of the 5th International Symposium on Practical Aspects of Declarative Languages
Constraint Databases: A Survey
Selected Papers from a Workshop on Semantics in Databases
Can We Eliminate Certificate Revocations Lists?
FC '98 Proceedings of the Second International Conference on Financial Cryptography
The PERMIS X.509 role based privilege management infrastructure
Future Generation Computer Systems - Special section: Selected papers from the TERENA networking conference 2002
Complexity and Expressive Power of Logic Programming
CCC '97 Proceedings of the 12th Annual IEEE Conference on Computational Complexity
STOC '76 Proceedings of the eighth annual ACM symposium on Theory of computing
HPDC '03 Proceedings of the 12th IEEE International Symposium on High Performance Distributed Computing
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Design of a Role-Based Trust-Management Framework
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Binder, a Logic-Based Security Language
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Decentralized Trust Management
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
A Practically Implementable and Tractable Delegation Logic
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
SD3: A Trust Management System with Certified Evaluation
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Flexible access control policy specification with constraint logic programming
ACM Transactions on Information and System Security (TISSEC)
Certificate-based authorization policy in a PKI environment
ACM Transactions on Information and System Security (TISSEC)
A case study in access control requirements for a Health Information System
ACSW Frontiers '04 Proceedings of the second workshop on Australasian information security, Data Mining and Web Intelligence, and Software Internationalisation - Volume 32
Cassandra: Distributed Access Control Policies with Tunable Expressiveness
POLICY '04 Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks
Cassandra: Flexible Trust Management, Applied to Electronic Health Records
CSFW '04 Proceedings of the 17th IEEE workshop on Computer Security Foundations
CSFW '04 Proceedings of the 17th IEEE workshop on Computer Security Foundations
A logic-based framework for attribute based access control
Proceedings of the 2004 ACM workshop on Formal methods in security engineering
Design and Semantics of a Decentralized Authorization Language
CSF '07 Proceedings of the 20th IEEE Computer Security Foundations Symposium
Fine-grained access control for GridFTP using SecPAL
GRID '07 Proceedings of the 8th IEEE/ACM International Conference on Grid Computing
Authorisation in Grid computing
Information Security Tech. Report
The role of abduction in declarative authorization policies
PADL'08 Proceedings of the 10th international conference on Practical aspects of declarative languages
A modal deconstruction of access control logics
FOSSACS'08/ETAPS'08 Proceedings of the Theory and practice of software, 11th international conference on Foundations of software science and computational structures
Policies, models, and languages for access control
DNIS'05 Proceedings of the 4th international conference on Databases in Networked Information Systems
A logic for state-modifying authorization policies
ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security
Effective trust management through a hybrid logical and relational approach
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Rumpole: a flexible break-glass access control model
Proceedings of the 16th ACM symposium on Access control models and technologies
Rewrite specifications of access control policies in distributed environments
STM'10 Proceedings of the 6th international conference on Security and trust management
Relaxed safeness in Datalog-based policies
RuleML'11 Proceedings of the 5th international conference on Rule-based modeling and computing on the semantic web
Datalog for security, privacy and trust
Datalog'10 Proceedings of the First international conference on Datalog Reloaded
Abstract privacy policy framework: addressing privacy problems in SOA
iNetSec'11 Proceedings of the 2011 IFIP WG 11.4 international conference on Open Problems in Network Security
On the verification of security-aware E-services
Journal of Symbolic Computation
PlexC: a policy language for exposure control
Proceedings of the 17th ACM symposium on Access Control Models and Technologies
Logical approaches to authorization policies
Logic Programs, Norms and Action
New modalities for access control logics: permission, control and ratification
STM'11 Proceedings of the 7th international conference on Security and Trust Management
HiPoLDS: a security policy language for distributed systems
WISTP'12 Proceedings of the 6th IFIP WG 11.2 international conference on Information Security Theory and Practice: security, privacy and trust in computing systems and ambient intelligent ecosystems
Comprehensive two-level analysis of role-based delegation and revocation policies with UML and OCL
Information and Software Technology
TBA: a hybrid of logic and extensional access control systems
FAST'11 Proceedings of the 8th international conference on Formal Aspects of Security and Trust
Understanding specification languages through their model theory
Proceedings of the 17th Monterey conference on Large-Scale Complex IT Systems: development, operation and management
Nephele: Scalable Access Control for Federated File Services
Journal of Grid Computing
DKAL*: constructing executable specifications of authorization protocols
ESSoS'13 Proceedings of the 5th international conference on Engineering Secure Software and Systems
Policy administration in tag-based authorization
FPS'12 Proceedings of the 5th international conference on Foundations and Practice of Security
Belief semantics of authorization logic
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Policy-driven role-based access management for ad-hoc collaboration
Journal of Computer Security
| Hi-index | 0.00 |
We present a declarative authorization language. Policies and credentials are expressed using predicates defined by logical clauses, in the style of constraint logic programming. Access requests are mapped to logical authorization queries, consisting of predicates and constraints combined by conjunctions, disjunctions, and negations. Access is granted if the query succeeds against the current database of clauses. Predicates ascribe rights to particular principals, with flexible support for delegation and revocation. At the discretion of the delegator, delegated rights can be further delegated, either to a fixed depth, or arbitrarily deeply. Our language strikes a careful balance between syntactic and semantic simplicity, policy expressiveness, and execution efficiency. The syntax is close to natural language, and the semantics consists of just three deduction rules. The language can express many common policy idioms using constraints, controlled delegation, recursive predicates, and negated queries. We describe an execution strategy based on translation to Datalog with Constraints, and table-based resolution. We show that this execution strategy is sound, complete, and always terminates, despite recursion and negation, as long as simple syntactic conditions are met.