International Journal on Digital Libraries

, Volume 4, Issue 3, pp 156–170 | Cite as

Reasoning with advanced policy rules and its application to access control

  • Claudio BettiniEmail author
  • Sushil Jajodia
  • X. Sean Wang
  • Duminda Wijesekera
Regular contribution


This paper presents a formal framework to represent and manage advanced policy rules, which incorporate the notions of provision and obligation. Provisions are those conditions that need to be satisfied or actions that must be performed by a user or an agent before a decision is rendered, while obligations are those conditions or actions that must be fulfilled by either the user or agent or by the system itself within a certain period of time after the decision. This paper proposes a specific formalism to express provisions and obligations within a policy and investigates a reasoning mechanism within this framework. A policy decision may be supported by more than one rule-based derivation, each associated with a potentially different set of provisions and obligations (called a global PO set). The reasoning mechanism can derive all the global PO sets for each specific policy decision and facilitates the selection of the best one based on numerical weights assigned to provisions and obligations as well as on semantic relationships among them. The formal results presented in the paper hold for many applications requiring the specification of policies, but this paper illustrates the use of the proposed policy framework in the security domain only.


Policies Access control Policy rule evaluation Provisions Obligations 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aberer K, Wombacher A (2001) A language for information commerce processes. In: 3rd international workshop on advanced issues of e-commerce and Web-based information systems, June 2001Google Scholar
  2. 2.
    Agrawal R, Cochrane R, Lindsay BG (1991) On maintaining priorities in a production rule system. In: Proc. international conference on very large data bases, pp 479–487Google Scholar
  3. 3.
    Balze M, Feigenbaum J, Lacy J (1996) Decentralized trust management. In: IEEE 17th symposium on security and privacyGoogle Scholar
  4. 4.
    Balze M, Feigenbaum J, Staauss M (1998) Compliance Checking in the PolicyMaker trust management system. In: Proc. Financial Crypto’98. Lecture notes in computer science, vol 1465. Springer, Berlin Heidelberg New YorkGoogle Scholar
  5. 5.
    Bettini C, Jajodia S, Sean Wang X, Wijesekera D (2002) Obligation monitoring in policy management. In: IEEE 3rd international workshop on policies for distributed systems and networks, June 2002Google Scholar
  6. 6.
    Bertino E, Bettini C, Ferrari E, Samarati P (1998) An access control model supporting periodicity constraints and temporal reasoning. ACM Trans Database Syst 23(3):231–285Google Scholar
  7. 7.
    Bettini C, Jajodia S, Wang X (2000) Time granularities in databases, temporal reasoning, and data mining. Springer, Berlin Heidelberg New YorkGoogle Scholar
  8. 8.
    Bettini C, Wang XS, Jajodia S (2002) Solving multi-granularity temporal constraint networks. Artif Intell 140(1–2):107–152Google Scholar
  9. 9.
    Chomicki J, Lobo J (2001) Monitors for history-based policies. In: [24]Google Scholar
  10. 10.
    Dechter R, Meiri I, Pearl J (1991) Temporal constraint networks. Artif Intell 49:61–95Google Scholar
  11. 11.
    Damianou N, Dulay N, Lupu E, Sloman M (2001) The Ponder Policy Specification Language. In: [24]Google Scholar
  12. 12.
    Gries D (1981) The science of programming. Springer, Berlin Heidelberg New YorkGoogle Scholar
  13. 13.
    Genesereth M, Nilsson N (1987) Logical foundations of artificial intelligence. Morgan Kaufmann, San FranciscoGoogle Scholar
  14. 14.
    Jajodia S, Kudo M, Subrahmanian VS (2001) Provisional authorizations. In: Gosh A (ed) E-commerce security and privacy. Kluwer, Dordrecht, pp 133–159Google Scholar
  15. 15.
    Jajodia S, Samarati P, Sapino ML, Subrahmanian VS (2001) Flexible support for multiple access control policies. ACM Trans Database Syst 26(2):214–260Google Scholar
  16. 16.
    Kagal L, Finin T, Joshi A (2001) Trust-based security in pervasive computing environments. In: IEEE Comput 34(12):154–157Google Scholar
  17. 17.
    Kagal L, Undercoffer J, Perich F, Joshi A, Finin T (2002) A security architecture for pervasive computing systems. In: Grace Hopper Celebration of Women in Computing 2002Google Scholar
  18. 18.
    Kudo M, Hada S (2000) XML document security based on provisional authorization. In: Proc. 7th ACM conference on computer and communications security, pp 87–96Google Scholar
  19. 19.
    Liskov BH, Wing JM (1994) A behavioral notion of subtyping. ACM Trans Programm Lang Syst 16(6):1811–1841Google Scholar
  20. 20.
    Lobo J, Bhatia R, Naqvi S (1999) A policy description language. In: Proc. national conference of the American Association for Artificial Intelligence, Orlando, FLGoogle Scholar
  21. 21.
    NIH Policy on Data Sharing. Scholar
  22. 22.
    Przymusinski T (1988) On the declarative semantics of deductive databases and logic programs. In: Minker J (ed) Foundations of deductive databases. Morgan Kaufmann, San Mateo, pp 193–216Google Scholar
  23. 23.
    Samarati P, Bertino E, Jajodia S (1996) An authorization model for a distributed hypertext system. IEEE Trans Knowl Data Eng 8(4):555–562Google Scholar
  24. 24.
    Sloman M, Lobo J, Lupu E (eds) (2001) In: Proc. international workshop on policies for distributed systems and networks (POLICY 2001). Lecture notes in computer science, vol 1995. Springer, Berlin Heidelberg New YorkGoogle Scholar
  25. 25.
    Schneider FB (2000) Enforceable security policies. ACM Trans Inf Syst Secur 3(1):30–50Google Scholar
  26. 26.
    Smith K, Jajodia S, Swarup V, Hoyt J, Hamilton G, Faatz D, Cornett T (2004) Enabling the sharing of neuroimaging data through well-defined intermediate levels of visibility. NeuroImages 22(4):1646–1656Google Scholar
  27. 27.
    Ullman JD (1988) Principles of database and knowledge-base systems. Computer Science Press, Rockville, MDGoogle Scholar
  28. 28.
    Wieringa RJ, Meyer J-JC (1993) Applications of Deontic logic in computer science: a concise overview. In: Deontic logic in computer science: normative system specification, Wiley, New York, pp 17–40Google Scholar
  29. 29.
    Woo TYC, Lam SS (1993) Authorizations in distributed systems: a new approach. J Comput Secur 2(2–3):107–136Google Scholar

Copyright information

© Springer-Verlag 2004

Authors and Affiliations

  • Claudio Bettini
    • 1
    Email author
  • Sushil Jajodia
    • 2
  • X. Sean Wang
    • 3
  • Duminda Wijesekera
    • 2
  1. 1.DICoUniversità di MilanoMilanItaly
  2. 2.Center for Secure Information SystemsGeorge Mason UniversityFairfaxUSA
  3. 3.Department of Computer ScienceUniversity of VermontBurlingtonUSA

Personalised recommendations