On the relationship between permission and obligation
ICAIL '87 Proceedings of the 1st international conference on Artificial intelligence and law
The ARBAC97 model for role-based administration of roles
ACM Transactions on Information and System Security (TISSEC) - Special issue on role-based access control
Ensuring integrity by adding obligations to privileges
ICSE '85 Proceedings of the 8th international conference on Software engineering
Proposed NIST standard for role-based access control
ACM Transactions on Information and System Security (TISSEC)
The Ponder Policy Specification Language
POLICY '01 Proceedings of the International Workshop on Policies for Distributed Systems and Networks
POLICY '03 Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks
Provisions and Obligations in Policy Rule Management
Journal of Network and Systems Management
Obligation Policies: An Enforcement Platform
POLICY '05 Proceedings of the Sixth IEEE International Workshop on Policies for Distributed Systems and Networks
Privacy and Contextual Integrity: Framework and Applications
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Privacy APIs: Access Control Techniques to Analyze and Verify Legal Privacy Policies
CSFW '06 Proceedings of the 19th IEEE workshop on Computer Security Foundations
Policy Analysis for Administrative Role Based Access Control
CSFW '06 Proceedings of the 19th IEEE workshop on Computer Security Foundations
On the modeling and analysis of obligations
Proceedings of the 13th ACM conference on Computer and communications security
Privacy-aware role based access control
Proceedings of the 12th ACM symposium on Access control models and technologies
Efficient policy analysis for administrative role based access control
Proceedings of the 14th ACM conference on Computer and communications security
An obligation model bridging access control policies and privacy policies
Proceedings of the 13th ACM symposium on Access control models and technologies
IJCAI'83 Proceedings of the Eighth international joint conference on Artificial intelligence - Volume 1
Toward practical authorization-dependent user obligation systems
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
On the management of user obligations
Proceedings of the 16th ACM symposium on Access control models and technologies
Formal enforcement and management of obligation policies
Data & Knowledge Engineering
On practical specification and enforcement of obligations
Proceedings of the second ACM conference on Data and Application Security and Privacy
Obligation language and framework to enable privacy-aware SOA
DPM'09/SETOP'09 Proceedings of the 4th international workshop, and Second international conference on Data Privacy Management and Autonomous Spontaneous Security
Obligations and their interaction with programs
ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security
Beyond accountability: using obligations to reduce risk exposure and deter insider attacks
Proceedings of the 18th ACM symposium on Access control models and technologies
Proceedings of the 18th ACM symposium on Access control models and technologies
Hi-index | 0.00 |
User obligations are actions that the human users are required to perform in some future time. These are common in many practical access control and privacy and can depend on and affect the authorization state. Consequently, a user can incur an obligation that she is not authorized to perform which may hamper the usability of a system. To mitigate this problem, previous work introduced a property of the authorization state, accountability, which requires that all the obligatory actions to be authorized when they are attempted. Although, existing work provides a specific and tractable decision procedure for a variation of the accountability property, it makes a simplified assumption that no cascading obligations may happen, i.e., obligatory actions cannot further incur obligations. This is a strong assumption which reduces the expressive power of past models, and thus cannot support many obligation scenarios in practical security and privacy policies. In this work, we precisely specify the strong accountability property in the presence of cascading obligations and prove that deciding it is NP-hard. We provide for several special yet practical cases of cascading obligations (i.e., repetitive, finite cascading, etc.) a tractable decision procedure for accountability. Our experimental results illustrate that supporting such special cases is feasible in practice.