Skip to main content
Log in

A formal modeling and analysis approach for access control rules, policies, and their combinations

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Approaches to access control (AC) policy languages, such as eXtensible access control markup language, do not provide a formal representation for specifying rule- and policy-combining algorithms or for verifying properties of AC policies. Some authors propose formal representations for these combining algorithms. However, the proposed models are not expressive enough to represent formally history-based classes of these algorithms, such as ordered-permit-overrides. In addition, some other authors propose a formal representation but do not present automated support for formal verification of properties of AC policies that use these algorithms. This paper demonstrates a new representation that can express all existing AC rule and policy combinations of which the authors are aware. This representation can also be used to automate the formal verification of properties of AC policies related to these algorithms. A new modeling representation for rule- and policy-combining algorithms based on state machines is used to specify rule- and policy-combining algorithms. Examples of these algorithms are programmed in the language of the SPIN model checker, and the programs are then used to support the automated formal verification of properties of AC policies. We present our approach and then use the AC policies and properties of CONTINUE, a conference management system, to compare it with prior work. Our first contribution is a new modeling representation for combining algorithms based on state machines. The second contribution is the formal verification of AC properties under certain combining algorithms that are beyond the capability of other approaches.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18

Similar content being viewed by others

Notes

  1. The early access control models used the term subject for an active process, whereas in some recent descriptions of access control models, such as RBAC, an operation and a subject are distinguished [15] where a subject refers to a process possibly invoking several operations.

  2. http://www.cs.brown.edu/research/plt/software/margrave/versions/01-01/examples/continue/.

  3. http://spinroot.com/spin/success.html.

  4. http://www.cs.brown.edu/research/plt/software/margrave/versions/01-01/examples/continue/.

References

  1. Anderson, A.: A comparison of two privacy policy languages: EPAL and XACML. In: Proceedings of the 3rd ACM Workshop On Secure Web Services, pp. 53–60 (2006)

  2. Arkoudas, K.: Athena, http://proofcentral.org/athena/ (2004)

  3. Arkoudas, K., Chadha, R., Chiang, J.: Sophisticated access control via SMT and logical frameworks. ACM Trans. Inf. Syst. Secur. 16(4), 17 (2014)

    Article  Google Scholar 

  4. Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise Privacy Authorization Language (EPAL 1.2). W3C Member Submission (2003)

  5. Baier, C., Katoen, J.: Principles of Model Checking. MIT Press, Cambridge (2008)

    MATH  Google Scholar 

  6. Basin, D., Clavel, M., Doser, J., Egea, M.: Automated analysis of security-design models. Inf. Softw. Technol. 51(5), 815–831 (2009)

    Article  Google Scholar 

  7. Becker, M., Fournet, C., Gordon, A.: Design and semantics of a decentralized authorization language. In: Proceedings of the IEEE Computer Security Foundations Symposium (CSF), pp. 3–15 (2007)

  8. Ben-Ari, M.: Principles of the Spin Model Checker. Springer, Berlin (2008)

    MATH  Google Scholar 

  9. Beimel, D., Peleg, M.: Using OWL and SWRL to represent and reason with situation-based access control policies. Data Knowl. Eng. 70(6), 596–615 (2011)

    Article  Google Scholar 

  10. Bray, H.: Payroll Website Still Not Secured. The Boston Globe, March 1 (2005)

  11. Bruns, G., Huth, M.: Access control via belnap logic: intuitive, expressive, and analyzable policy composition. ACM Trans. Inf. Syst. Secur. 14(1), 9 (2011)

    Article  Google Scholar 

  12. Bryans, J.: Reasoning about XACML policies using CSP. In: Proceedings of the Workshop on Secure Web Services, pp. 28–35 (2005)

  13. Constantin, L.: Twitter flaw gave third-party apps unauthorized access to private messages, researcher says. InfoWorld (2013)

  14. Emerson, E.: The beginning of model checking: a personal perspective. In: Proceedings of the 25 Years of Model Checking, pp. 27–45 (2008)

  15. Ferraiolo, D., Kuhn, D., Chandramouli, R.: Role-Based Access Control, 2nd edn. Artech House, London (2007)

    MATH  Google Scholar 

  16. Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, D., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)

    Article  Google Scholar 

  17. Ferraiolo, D., Kuhn, D.: Role-based access control. In: Proceedings of the National Computer Security Conference, pp. 554–563 (1992)

  18. Fisler, K., Krishnamurthi, S., Meyerovich, L., Tschantz, M.: Verification and change-impact analysis of access-control policies. In: Proceedings of the International Conference on Software Engineering (ICSE), pp. 196–205 (2005)

  19. Fisler, K., Krishnamurthi, S., Dougherty, D.: Embracing policy engineering. In: Proceedings of the Workshop on Future of Software Engineering Research (FoSER), pp. 109–110 (2010)

  20. Geerts, G., McCarthy, W.: Policy-level specifications in REA enterprise information systems. J. Inf. Syst. 20(2), 37–63 (2006)

    Google Scholar 

  21. Halpern, j, Weissman, V.: Using first-order logic to reason about policies. ACM Trans. Inf. Syst. Secur. 11(4), 1–41 (2008)

    Article  Google Scholar 

  22. Holzmann, G.: Parallelizing the Spin model checker. In: Proceedings of the International SPIN Workshop, pp. 155–171 (2012)

  23. Holzmann, G.: The SPIN Model Checker: Primer and Reference Manual. Addison-Wesley, Reading (2004)

  24. Holzmann, G.: The model checker SPIN. IEEE Trans. Softw. Eng. 23(5), 279–295 (1997)

    Article  Google Scholar 

  25. Holzmann, G., Joshi, R., Groce, A.: Swarm verification techniques. IEEE Trans. Softw. Eng. 37(6), 845–857 (2011)

    Article  Google Scholar 

  26. Hruby, P. with contributions by Kiehn, J., Scheller, C.: Model-Driven Design Using Business Patterns. Springer, Berlin (2006)

  27. Hughes, G., Bultan, T.: Automated verification of access control policies using a SAT solver. STTT 10(6), 503–520 (2008)

    Article  Google Scholar 

  28. Jackson, D.: Software Abstractions: Logic, Language, and Analysis, Rev edn. MIT Press, Cambridge (2011)

    Google Scholar 

  29. Jha, S., Li, N., Tripunitara, M., Wang, Q., Winsborough, W.: Towards formal verification of role-based access control policies. IEEE Trans. Dependable Sec. Comput. 5(4), 242–255 (2008)

    Article  Google Scholar 

  30. Jürjens, J., Schreck, J., Yu, Y.: Automated analysis of permission-based security using UMLsec. In: Proceedings of the International Conference Fundamental Approaches to Software Engineering (FASE), pp. 292–295 (2008)

  31. Kagal, L., Berners-Lee, T., Connolly, D., Weitzner, D.: Using semantic Web technologies for policy management on the Web. In: Proceedings of the Association for the Advancement of Artificial Intelligence (AAAI) Conference, pp. 1337–1344 (2006)

  32. Kagal, L., Finin, T., Joshi, A.: A policy language for a pervasive computing environment. In: Proceedings of Policy, pp. 63–74 (2003)

  33. Karimi, V.: A Uniform Formal Approach to Business and Access Control Models, Policies and Their Combinations. Ph.D. thesis, University of Waterloo (2012)

  34. Karimi, V., Alencar, P., Cowan, D.: A uniform approach for access control and business models with explicit rule realization. Int. J. Inf. Secur. (2015). doi:10.1007/s10207-015-0275-z

  35. Kern, A., Walhorn, C.: Rule support for role-based access control. In: Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 130–138 (2005)

  36. Kolovski, V., Hendler, J., Parsia, B.: Analyzing Web access control policies. In: Proceedings of the International Conference on World Wide Web (WWW), pp. 677–686 (2007)

  37. Krishnamurthi, S.: The CONTINUE server (or, how I administered PADL 2002 and 2003). In: Proceedings of the International Symposium Practical Aspects of Declarative Languages (PADL), pp. 2–16 (2003)

  38. Li, N., Wang, Q., Qardaji, W., Bertino, E., Rao, P., Lobo, J., Lin, D.: Access control policy combining: theory meets practice. In: Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 135–144 (2009)

  39. Mankai, M., Logrippo, L.: Access control policies: modeling and validation. In: Proceedings of the NOTERE Conference, pp. 85–91 (2005)

  40. Martin, J., Odell, J.: Object-Oriented Methods: A Foundation, UML edn. Prentice Hall, Englewood Cliffs (1998)

    Google Scholar 

  41. Masi, M., Pugliese, R., Tiezzi, F.: Formalisation and implementation of the XACML access control mechanism. In: Proceedings of the International Symposium of Engineering Secure Software and Systems (ESSoS), pp. 60–74 (2012)

  42. Motschnig-Pitrik, R., Kaasbøll, J.: Part-whole relationship categories and their application in object-oriented analysis. IEEE Trans. Knowl. Data Eng. 11(5), 779–797 (1999)

  43. Motschnig-Pitrik, R., Storey, V.: Modelling of set membership: the notion and the issues. Data Knowl. Eng. 16(2), 147–185 (1995)

    Article  MATH  Google Scholar 

  44. Moura, L., Bjørner, N.: Satisfiability modulo theories: introduction and applications. Commun. ACM 54(9), 69–77 (2011)

    Article  Google Scholar 

  45. Mouratidis, H., Giorgini, P., Manson, G.: When security meets software engineering: a case of modelling secure information systems. Inf. Syst. 30(8), 609–629 (2005)

    Article  Google Scholar 

  46. Nelson, T., Barratt, C., Dougherty, D., Fisler, K., Krishnamurthi, S.: The Margrave tool for firewall analysis, In: Proceedings of the Large Installation System Administration Conference (LISA), pp. 1–18 (2010)

  47. Ni, Q., Bertino, E.: xfACL: an extensible functional language for access control. In: Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 61–72 (2011)

  48. Ruys, T.: SPIN tutorial: How to become a SPIN doctor. In: Proceedings of the International SPIN Workshop, pp. 6–13 (2002)

  49. Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control model. IEEE Comput. 29(2), 38–47 (1996)

    Article  Google Scholar 

  50. Schaad, A., Lotz, V., Sohr, K.: A model-checking approach to analysing organisational controls in a loan origination process. In: Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 139–149 (2006)

  51. Schaad, A., Moffett, J.: A lightweight approach to specification and analysis of role-based access control extensions. In: Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 13–22 (2002)

  52. Shanks, G., Tansley, E., Nuredini, J., Tobin, D.: Representing part–whole relations in conceptual modeling: an empirical evaluation. MIS Q. 32(3), 553–573 (2008)

    Google Scholar 

  53. Toahchoodee, M., Ray, I: Validation of policy integration using Alloy. In: Proceedings of the International Conference on Distributed Computing and Internet Technology (ICDCIT), pp. 420–431 (2005)

  54. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC): International Standard, ISO/IEC 14977. Information technology-Syntactic metalanguage-Extended BNF (1996)

  55. Organization for the Advancement of Structured Information Standards (OASIS), Moses, T. (ed.): eXtensible Access Control Markup Language (XACML), Version 2.0 (2005)

  56. Organization for the Advancement of Structured Information Standards (OASIS): eXtensible Access Control Markup Language (XACML), Rissanen, E. (ed.) Version 3.0 (2013)

  57. Woo, T., Lam, S.: Authorizations in distributed systems: a new approach. J. Comput. Secur. 2(2–3), 107–136 (1993)

    Article  Google Scholar 

  58. Zeller, T.: Not Yet in Business School, and Already Flunking Ethics. The New York Times (2005)

  59. Zhang, N., Ryan, M., Guelev, D.: Evaluating access control policies through model checking. In: Proceedings the International Conference on Information Security (ISC), pp. 446–460 (2005)

Download references

Acknowledgments

We would like to thank K. Fisler and her co-authors [18] for making the XACML policies and the related properties of CONTINUE publicly available. We also thank the Natural Sciences and Engineering Research Council of Canada and the Ontario Research Fund for supporting this research.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Vahid R. Karimi.

Appendices

Appendix 1: The CONTINUE policies

A prose description of twenty-five AC policies for CONTINUE conference management follows. The first-applicable combining rule within each of the following policies holds. These policies are available in the XACML format from the CONTINUE Web site.Footnote 4

In CONTINUE, a review-set consists of four resources: paper-review, paper-review-info, paper-review-info-reviewer, and paper-review-info-submissionStatus. Similarly, a review-content-set consists of four resources: paper-review-content, paper-review-content-rating, paper-review-content-comment sAll, and paper-review-content-commentsPc. Furthermore, the first-applicable combining rule within each of the following policies holds.

Convention The dashes within names and the suffix rc (rc stands for resource class) are omitted; therefore, paper-review is used instead of paper-review_rc.

Policy one An administrator has permission to read and write conference resources, and a pc chair possesses permission to read these resources. A pc member at a meeting is permitted to read conference resources; an unidentified subject has no access to these resources.

Policy two An unidentified subject has access to read conference info resources. Any other permission to these resources is based on the same access rules applicable to conference resources.

Policy three A pc member has access to read pc member resources. An administrator possesses permission to write, create, and delete pc member resources. A pc member whose user-id is equal to the user-id of a pc member resources has no permission to perform any action on these resources. Any other individual’s access to these resources follows the same rules for accessing conference resources.

Policy four A pc chair possesses permission to read and write pc member assignment resources, whereas a pc member is allowed to read his/her own assignments (i.e., a pc member’s user-id is equal to the user-id of a pc member assignment resources). An unidentified subject has no access to these resources. Other types of access to these resources follow the same rules for accessing pc member resources.

Policy five A pc chair has read and write access to pc member conflict resources, whereas a pc member is capable of reading his/her conflict resources. An unidentified subject has no access to these resources. In addition, other types of access to pc member conflict resources follow the same rules for accessing pc member resources.

Policy six Access to pc member assignment count resources is according to the rules for accessing pc member resources.

Policy seven A pc chair possesses permission to read and write pc member info resources, whereas a pc member has access to read and write his/her pc member info resources. An unidentified subject has no permission to access these resources. Furthermore, the same permission rules for accessing pc member resources hold for pc member info resources too.

Policy eight A pc member has write access to his/her pc member info password resources, and an administrator has the same permission whenever pc member info password resources are not pending. An unidentified subject does not possess any access to these resources. Additionally, the same permission rules for accessing pc member info resources also hold for accessing pc member info password resources.

Policy nine A pc member has access to read pc member isChairFlag resources, whereas a pc member whose user-id is equal to the user-id of these resources has no access to pc member isChairFlag resources. An unidentified subject has no access to these resources. Furthermore, the same permission rules for accessing pc member info resources also hold to access pc member isChairFlag resources.

Policy ten A pc chair possesses access to delete paper resources. A pc member has permission to read a paper if the paper is designated for a meeting; in addition, a pc member is allowed to create paper resources. Any other access to paper resources is based on the same rules for accessing conference resources.

Policy eleven A pc chair and a pc member are permitted to read paper submission resources, whereas a sub-reviewer is allowed to read only his/his own paper submission resources. In addition, the same permission rules for accessing paper resources are also applicable for accessing paper submission resources.

Note: A pc member, P, designates a sub-reviewer, S, to review P’s papers. S submits reviews for the assigned papers; after submitting these reviews, S has no future access to these reviews. P can access the reviews by S and modify and submit them. This arrangement makes S capable of using the conference management interface to read submitted papers and to write reviews. Otherwise, P has to make copies of submitted papers for S and retrieve S’s reviews without using the conference management interface.

Policy twelve Access to paper submission info resources follows the same criteria as those for accessing paper submission resources.

Policy thirteen The same rules for accessing paper submission resources are also applicable for accessing paper submission file resources.

Policy fourteen A pc chair in a meeting has read and write access to paper decision resources. Other criteria for accessing paper decision resources are based on the same rules as those for accessing paper resources.

Note In the following policies, the words “conflicted” and “unconflicted” indicate that people in a role may face conflicts of interest, such as when reading and writing reviews.

Policy fifteen A pc chair and an administrator are allowed to read and write paper conflict resources, whereas a pc member who is conflicted is permitted to read paper conflict resources. In addition, a pc member in a meeting has access to read paper conflict resources. An unidentified subject has no access to paper conflict resources. Furthermore, other types of access to paper conflict resources follow the same rules for accessing paper resources.

Policy sixteen A pc chair and an administrator are permitted to read and write paper assignment resources. An unidentified subject who is conflicted possesses no access to paper assignment resources. A pc chair in a meeting is allowed to read a paper assignment resource that is related to the meeting. An unidentified subject who is in the meeting is allowed to read paper assignment resources. An unidentified subject has no access to paper assignment resources. In addition, the same criteria for accessing paper resources are applicable for determining access permission for paper assignment resources.

Policy seventeen An unconflicted pc chair has all types of access to paper-review resources, whereas a pc chair in a meeting for particular paper-review resources is allowed to read only those resources. A pc chair is permitted to create and delete paper-review resources. A conflicted subject has no access to paper-review resources. An unconflicted pc member is permitted to read paper-review resources. All have all types of access to their own paper-review resources. All types of access are permitted to discussion phase paper-review resources. An unidentified subject who is assigned to paper-review resources and has already done his/her task is allowed to have any type of access to the resources, whereas an unidentified one assigned to particular paper-review resources has all types of access to them. An unidentified subject is not allowed to have any access to unassigned paper-review resources. Furthermore, other access rules to paper resources are also applicable to paper-review resources.

Policy eighteen A pc chair has all types of access to paper-review info resources; in addition, other types of access to paper-review info resources are based on the same criteria for accessing paper-review resources.

Fig. 19
figure 19

The algorithmic form for weak-consensus policy-combining algorithm

Fig. 20
figure 20

The algorithmic form for weak-majority policy-combining algorithm

Fig. 21
figure 21

A UML state machine for weak-majority policy-combining algorithm

Policy nineteen A pc member is permitted to write, create, and delete paper-review content resources if a pc member’s user-id is equal to the user-id of the paper-review content resources, whereas a sub-reviewer is allowed to create paper-review content resources only if the sub-reviewer user-id is equal to the user-id of the paper-review content resources. Furthermore, other types of access to paper-review content resources follow the same criteria for accessing paper-review resources.

Policy twenty A pc member has permission to write paper-review info submission status resources if the pc member’s user-id equals the user-id of these resources and the content of these resources is already in place. Other types of access to paper-review info submission status resources are based on the same rules for accessing paper-review info resources.

Policy twenty-one All types of access to paper-review-content-rating resources are based on the same rules as those for accessing paper-review content resources.

Policy twenty-two All types of access to paper-review content comments all resources are based on the same rules as those for accessing paper-review content resources.

Policy twenty-three All types of access to paper review content comments pc resources are based on the same rules as those for accessing paper-review content resources.

Note: CONTINUE currently does not permit comments by pc members who have not written reviews for a paper, and therefore, have not read the paper in as much detail as the reviewers of that paper have but intend to provide comments, which are distinct from reviews, for authors.

Policy twenty-four All types of access to paper-review-info-reviewer resources are based on the same rules as those for accessing paper-review info resources.

Policy twenty-five A pc chair has read and write access to is meeting flag resources, whereas a pc member possesses only read access. In addition, other types of access criteria for is Meeting flag resources follow the same rules for accessing conference resources.

Appendix 2: Other policy-combining algorithm representation

Figure 19 shows the weak-consensus policy-combining algorithm according to the approach shown so far and is presented next.

Weak-majority [38] “A decision (permit or deny) wins if it has more votes than the opposite. Permit (deny, resp.) a request if the number of sub-policies permitting (denying, resp.) the request is greater than the number of sub-policies denying (permitting, resp.).”

Figure 20 shows the weak-majority policy-combining algorithm, and the corresponding state machine is presented in Fig. 21.

As mentioned previously, the algorithmic forms and state machines of the strong-consensus policy-combining algorithm, strong-majority policy-combining algorithm, and super-majority-permit policy-combining algorithm are very similar to what has described so far.

Appendix 3: [34]: An AC rule format in Extended Backus–Naur Form (EBNF)

As explained in Sect. 3, one can view access control models as providing the basis for access control policies and rules. For instance, based on Fig. 2 and using the terms resources, events, and agents that we have described in Sect. 3, we can define an access control policy that consists of a single rule. The general form for this rule follows:

figure l

The first expression defines an access control rule (ACRule) as an agent expression (AgentExp), a resource expression (ResourceExp), an event expression (EventExp), relationships related to agents and events (AgeEveRel), relationships related to resources and events (ResEveRel). The conjunctions of these expressions imply an event result (EventResult). We use Extended Backus–Naur Form (EBNF) to describe a general syntax of AC rules. Table 8 (ISO 14977) [54] shows the EBNF elements and their meanings.

Table 8 Extended BNF (EBNF)

Before describing the format of an AC rule in detail, an AC rule example is provided next. Terms enclosed by square quotation marks identify terminal elements in EBNF, and an EBNF rule termination is represented by a semicolon, as shown in Table 8. Therefore, we can rewrite the ACRule expression, just provided, as follows:

figure m

The AC rule expressions are divided into six sections based on these six elements: AgentExp, ResourceExp, EventExp, AgeEveRel, ResEveRel, and EventResult. Each element is shown in detail in a following subsection with some prose explanations provided for a few expressions to make them easier to comprehend.

The first section, i.e., AgentExp, also shows the expressions for the general form of AC rules and presents some general expressions, such as class name (ClassName) and attribute name (attrName), that can be used by other sections.

1.1 AgentExp expressions

This section describes expressions that are mainly related to AgentExp, and some general definitions, such as attribute name (attrName), also apply to the other sections.

Figure 22 presents the expressions for this section, identified as “Part I.”

  • The expression starting with equA: equA can be expressions either about agents, or agent types, or agent groups (ATG), which are called agent-related expressions, or about the attributes of agents, or agent types, or agent groups (attrATG).

  • The expression starting with equArep: zero or more agent-related expression(s) is (are) possible using ‘"and" and "or" connectives. An optional "not" can also precede equArep.

  • The expression starting with attrATG: it identifies an attribute name, and its value in conjunction with an identification of AgeAttIde, which is defined shortly.

  • The expression starting with AgeAttIde: an agent attribute identification can be either an agent designation, the class name of an agent, agent type, or agent group, or can be an agent designation along with the class name of the agent designation.

Fig. 22
figure 22

AC rule definition in extended BNF, Part I

Fig. 23
figure 23

AC rule definition in extended BNF, Part II

1.2 ResourceExp expressions

This section presents expressions for ResourceExp that are similar to AgentExp, which is just described, and therefore additional prose descriptions are not provided for this part.

The expressions for ResourceExp are shown in Fig. 23 and are identified as “Part II.”

1.3 EventExp expressions

This section presents the EventExp expressions in Fig. 24. The expressions for EventExp, which are similar to the AgentExp and ResourceExp, are identified as “Part III.”

1.4 AgeEveRel expressions

This section identifies the AgeEveRel expressions, as shown in Fig. 25, that are expressions about different agent and event relationships. The expressions for AgeEveRel are identified as “Part IV” in this figure. This figure can be explained as follows:

  • The expression starting with AgeEveRel: the expression identifies the existence of one or more relationships involving agents and events. An optional negation is possible to indicate such a relationship is not true.

  • The expression starting with AgeERel: the relationships involving agents and events can be between one of the following elements: agent type and event type, agent and event, agent type and agent group, agent type and agent, agent and agent group.

  • The expression starting with AgeERelrep: this expression describes zero or more repetition(s) of relationships involving agents and events, as just described.

1.5 ResEveRel expressions

The ResEveRel expressions are presented in this section. These expressions describe different resource and event relationships and are similar to the AgeEveRel section. Figure 26 provides the expressions for ResEveRel that are identified as “Part V.” These expressions are similar to AgeEveRel; therefore, the prose descriptions are not provided.

1.6 EventResult expressions

This section identifies and explains the EventResult expressions. Figure 27 shows the related EventResult expressions that are identified as “Part VI.” This figure can be described as follows.

  • The expression starting with EventResult: this expression describes the format of an event and its result. One or more events are possible.

  • The expression starting with accETG: this expression describes the result of an event, or event type, or event group along with its class name.

  • The expression starting with accETGrep: accETGrep describes zero or more repetition of accETG, which is just described.

  • The expression starting with result: result can be either a permit or deny.

  • The expression starting with accessETG: this expression defines the class name of an event type or event along with the word access.

  • The expression starting with ETClassName: ETClassName distinguishes an identifier, previously defined, of an event type.

  • The expression starting with EClassName: this expression describes the class name of an event.

Fig. 24
figure 24

AC rule definition in extended BNF, Part III

Fig. 25
figure 25

AC rule definition in extended BNF, Part IV

Fig. 26
figure 26

AC rule definition in extended BNF, Part V

Fig. 27
figure 27

AC rule definition in extended BNF, Part VI

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Karimi, V.R., Alencar, P.S.C. & Cowan, D.D. A formal modeling and analysis approach for access control rules, policies, and their combinations. Int. J. Inf. Secur. 16, 43–74 (2017). https://doi.org/10.1007/s10207-016-0314-4

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-016-0314-4

Keywords

Navigation