On the management of user obligations

Authors:
Murillo Pontual;Omar Chowdhury;William H. Winsborough;Ting Yu;Keith Irwin
Affiliations:
The University of Texas at San Antonio, San Antonio, TX, USA;The University of Texas at San Antonio, San Antonio, TX, USA;The University of Texas at San Antonio, San Antonio, TX, USA;North Carolina State University, Raleigh, NC, USA;Winston-Salem State University, Winston-Salem, NC, USA
Venue:
Proceedings of the 16th ACM symposium on Access control models and technologies
Year:
2011

Citing 17
Cited 4

The ARBAC97 model for role-based administration of roles

ACM Transactions on Information and System Security (TISSEC) - Special issue on role-based access control
Ensuring integrity by adding obligations to privileges

ICSE '85 Proceedings of the 8th international conference on Software engineering
Program slicing

ICSE '81 Proceedings of the 5th international conference on Software engineering
The UCONABC usage control model

ACM Transactions on Information and System Security (TISSEC)
Obligation Policies: An Enforcement Platform

POLICY '05 Proceedings of the Sixth IEEE International Workshop on Policies for Distributed Systems and Networks
Policy Analysis for Administrative Role Based Access Control

CSFW '06 Proceedings of the 19th IEEE workshop on Computer Security Foundations
On the modeling and analysis of obligations

Proceedings of the 13th ACM conference on Computer and communications security
On Parametric Obligation Policies: Enabling Privacy-Aware Information Lifecycle Management in Enterprises

POLICY '07 Proceedings of the Eighth IEEE International Workshop on Policies for Distributed Systems and Networks
Privacy-aware role based access control

Proceedings of the 12th ACM symposium on Access control models and technologies
A general obligation model and continuity: enhanced policy enforcement engine for usage control

Proceedings of the 13th ACM symposium on Access control models and technologies
An obligation model bridging access control policies and privacy policies

Proceedings of the 13th ACM symposium on Access control models and technologies
Toward practical authorization-dependent user obligation systems

ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Failure Feedback for User Obligation Systems

SOCIALCOM '10 Proceedings of the 2010 IEEE Second International Conference on Social Computing
A data sharing agreement framework

ICISS'06 Proceedings of the Second international conference on Information Systems Security
Obligation language and framework to enable privacy-aware SOA

DPM'09/SETOP'09 Proceedings of the 4th international workshop, and Second international conference on Data Privacy Management and Autonomous Spontaneous Security
Obligations and their interaction with programs

ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security
A policy language for distributed usage control

ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security

Formal enforcement and management of obligation policies

Data & Knowledge Engineering
Ensuring authorization privileges for cascading user obligations

Proceedings of the 17th ACM symposium on Access Control Models and Technologies
The specification and compilation of obligation policies for program monitoring

Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security
Privacy promises that can be kept: a policy analysis method with application to the HIPAA privacy rule

Proceedings of the 18th ACM symposium on Access control models and technologies

Quantified Score

Hi-index	0.01

Visualization

Abstract

This paper is part of a project investigating authorization systems that assign obligations to users. We are particularly interested in obligations that require authorization to be performed and that, when performed, may modify the authorization state. In this context, a user may incur an obligation she is unauthorized to perform. Prior work has introduced a property of the authorization system state that ensures users will be authorized to fulfill their obligations. We call this property accountability because users that fail to perform authorized obligations are accountable for their non-performance. While a reference monitor can mitigate violations of accountability, it cannot prevent them entirely. This paper presents techniques to be used by obligation system managers to restore accountability. We introduce several notions of dependence among pending obligations that must be considered in this process. We also introduce a novel notion we call obligation pool slicing, owing to its similarity to program slicing. An obligation pool slice identifies a set of obligations that the administrator may need to consider when applying strategies proposed here for restoring accountability. The paper also presents the system architecture of an authorization system that incorporates obligations that can require and affect authorizations.