Authrule: A Generic Rule-Based Authorization Module

  • Sönke Busch
  • Björn Muschall
  • Günther Pernul
  • Torsten Priebe
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4127)


As part of the access control process an authorization decision needs to be taken based on a certain authorization model. Depending on the environment different models are applicable (e.g., RBAC in organizations, MAC in the military field). An authorization model contains all necessary elements needed for the decision (e.g., subjects, objects, and roles) as well as their relations. As these elements are usually inherent in the software architecture of an access control module, such modules limit themselves to the use of a certain specific authorization model. A later change of the model consequently results in a substantial effort for revising the software architecture of the given module. Rule-based systems are well suited to represent authorization models by mapping them to facts and rules, which can be modified in a flexible manner. In this paper we present a generic authorization module, which can take authorization decisions on the basis of arbitrary models utilizing rule-based technology. The implementation of the popular RBAC and ABAC (attribute-based access control) models is demonstrated.


Access Control Access Control Model Authorization Model Role Base Access Control Authorization Decision 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Adam, N.R., Atluri, V., Bertino, E., Ferrari, E.: A Content-based Authorization Model for Digital Libraries. IEEE Transactions on Knowledge and Data Engineering 14(2) (March/April 2002)Google Scholar
  2. 2.
    Bertino, E., Catania, B., Ferrari, E., Perlasca, P.: A Logical Framework for Reasoning about Access Control Models. ACM Transactions on Information and System Security 6(1), 71–127 (2003)CrossRefGoogle Scholar
  3. 3.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D., Chandramouli, R.: Proposed NIST Standard for Role-based Access Control. ACM Transactions on Information and Systems Security 4(3) (August 2001)Google Scholar
  4. 4.
    Ferrari, E., Adam, N.R., Atluri, V., Bertino, E., Capuozzo, U.: An Authorization System for Digital Libraries. VLDB Journal 11(1) (2002)Google Scholar
  5. 5.
    Enterprise JavaBeans 3.0. Java Specification Request 220 Proposed Final Draft,
  6. 6.
    Kagal, L., Finin, T.W., Joshi, A.: A Policy Based Approach to Security for the Semantic Web. In: Fensel, D., Sycara, K.P., Mylopoulos, J. (eds.) ISWC 2003. LNCS, vol. 2870, pp. 402–418. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    OASIS eXtensible Access Control Markup Language v2.0 (XACML),
  8. 8.
    Park, J., Sandhu, R.: The UCONABC Usage Control Model. ACM Transactions on Information Systems Security 7(1), 128–174 (2004)CrossRefGoogle Scholar
  9. 9.
    Priebe, T., Fernandez, E.B., Mehlau, J.I., Pernul, G.: A Pattern System for Access Control. In: Proc. 18th Annual IFIP WG 11.3 Working Conference on Data and Application Security, Sitges, Spain (July 2004)Google Scholar
  10. 10.
    Priebe, T., Dobmeier, W., Muschall, B., Pernul, G.: ABAC - Ein Referenzmodell für attributbasierte Zugriffskontrolle. In: Proc. 2. Jahrestagung Fachbereich Sicherheit der Gesellschaft für Informatik (Sicherheit 2005), Regensburg, Germany (April 2005)Google Scholar
  11. 11.
    Uszok, A., et al.: KAoS Policy and Domain Services: Toward a Description-Logic Approach to Policy Representation, Deconfliction and Enforcement. In: Proc. 4th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY 2003), Comersee, Italy (June 2003)Google Scholar
  12. 12.
    Dridi, F., Fischer, M., Pernul, G.: CSAP – An Adaptable Security Module for the E-government System Webocrat. In: Proc. of the 18th IFIP International Information Security Conference (SEC 2003), Athens, Greece (May 2003)Google Scholar
  13. 13.
    Osborn, S., Sandhu, R., Munawar, Q.: Configuring Role-based Access Control to enforce Mandatory and Discretionary Access Control Policies. ACM Transactions on Information and System Security (TISSEC) 3, 85–106 (2000)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2006

Authors and Affiliations

  • Sönke Busch
    • 1
  • Björn Muschall
    • 2
  • Günther Pernul
    • 2
  • Torsten Priebe
    • 3
  1. 1.Booz Allen Hamilton GmbHDüsseldorfGermany
  2. 2.Department of Information SystemsUniversity of RegensburgRegensburgGermany
  3. 3.Capgemini Consulting Österreich AGViennaAustria

Personalised recommendations