Access Control and Obligations in the Category-Based Metamodel: A Rewrite-Based Semantics

  • Sandra Alves
  • Anatoli Degtyarev
  • Maribel FernándezEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8981)


We define an extension of the category-based access control (CBAC) metamodel to accommodate a general notion of obligation. Since most of the well-known access control models are instances of the CBAC metamodel, we obtain a framework for the study of the interaction between authorisation and obligation, such that properties may be proven of the metamodel that apply to all instances of it. In particular, the extended CBAC metamodel allows security administrators to check whether a policy combining authorisations and obligations is consistent.


Security policies Access control Obligations Rewriting 


  1. 1.
    ANSI. RBAC, 2004. INCITS 359–2004Google Scholar
  2. 2.
    Baader, F., Nipkow, T.: Term Rewriting and All That. Cambridge University Press, Cambridge (1998)Google Scholar
  3. 3.
    Barker, S.: The next 700 access control models or a unifying meta-model? In: Proceedings of SACMAT 2009, pp. 187–196. ACM Press (2009)Google Scholar
  4. 4.
    Barker, S., Sergot, M.J., Wijesekera, D.: Status-based access control. ACM Trans. Inf. Syst. Secur. 12(1), 1–47 (2008)Google Scholar
  5. 5.
    Bertolissi, C., Fernández, M.: Category-based authorisation models: operational semantics and expressive power. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 140–156. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  6. 6.
    Bertolissi, C., Fernández, M.: Rewrite specifications of access control policies in distributed environments. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 51–67. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  7. 7.
    Bertolissi, C., Fernández, M., Barker, S.: Dynamic event-based access control as term rewriting. In: Barker, S., Ahn, G.-J. (eds.) Data and Applications Security 2007. LNCS, vol. 4602, pp. 195–210. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  8. 8.
    Bettini, C., Jajodia, S., Wang, X., Wijesekera, D.: Provisions and obligations in policy rule management. J. Netw. Syst. Manag. 11(3), 351–372 (2003)CrossRefGoogle Scholar
  9. 9.
    Contejean, E., Paskevich, A., Urbain, X., Courtieu, P., Pons, O., Forest, J.: A3pat, an approach for certified automated termination proofs. In: Proceedings of PEPM 2010, pp. 63–72. ACM, New York (2010)Google Scholar
  10. 10.
    Davidson, D.: Essays on Actions and Events. Oxford University Press, Oxford (2001) CrossRefGoogle Scholar
  11. 11.
    Dijkstra, E.W.: Selected Writings on Computing - A Personal Perspective. Texts and Monographs in Computer Science. Springer, New York (1982) CrossRefzbMATHGoogle Scholar
  12. 12.
    Gelfond, M., Lobo, J.: Authorization and obligation policies in dynamic systems. In: Garcia de la Banda, M., Pontelli, E. (eds.) ICLP 2008. LNCS, vol. 5366, pp. 22–36. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  13. 13.
    Irwin, K., Yu, T., Winsborough, W.H.: On the modeling and analysis of obligations. In: Proceedings of CCS 2006, pp. 134–143. ACM, New York (2006)Google Scholar
  14. 14.
    Katt, B., Zhang, X., Breu, R., Hafner, M., Seifert, J.-P.: A general obligation model and continuity: enhanced policy enforcement engine for usage control. In: Proceedings of SACMAT 2008, pp. 123–132. ACM, New York (2008)Google Scholar
  15. 15.
    Kowalski, R., Sergot, M.: A logic-based calculus of events. New. Gener. Comput. 4(1), 67–95 (1986)CrossRefGoogle Scholar
  16. 16.
    Miller, R., Shanahan, M.: The event calculus in classical logic - alternative axiomatisations. Electron. Trans. Artif. Intell. 3(A), 77–105 (1999)MathSciNetGoogle Scholar
  17. 17.
    Mont, M.C., Beato, F.: On parametric obligation policies: enabling privacy-aware information lifecycle management in enterprises. In: POLICY, pp. 51–55 (2007)Google Scholar
  18. 18.
    Ni, Q., Bertino, E., Lobo, J.: An obligation model bridging access control policies and privacy policies. In: Proceedings of SACMAT 2008, pp. 133–142. ACM, New York (2008)Google Scholar
  19. 19.
    OASIS. eXtensible Access Control Markup language (XACML) (2003).
  20. 20.
    Park, J., Sandhu, R.: The ucon abc usage control model. ACM Trans. Inf. Syst. Secur. 7(1), 128–174 (2004)CrossRefGoogle Scholar
  21. 21.
    Pontual, M., Chowdhury, O., Winsborough, W.H., Yu, T., Irwin, K.: On the management of user obligations. In: Proceedings of SACMAT 2011, pp. 175–184. ACM, New York (2011)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Sandra Alves
    • 1
  • Anatoli Degtyarev
    • 2
  • Maribel Fernández
    • 2
    Email author
  1. 1.Department of Computer ScienceUniversity of PortoPortoPortugal
  2. 2.Department of InformaticsKing’s College LondonLondonUK

Personalised recommendations