Abstract
We are witnessing an exponential growth in the use of mobile computing devices such as laptops, PDAs and mobile phones, accessing critical data while on the move. The need to safeguard against unauthorized access to data in a mobile world is a pressing requirement. Access to critical data depends on users' identity as well as environmental parameters such as time and location. While temporal based access control models are well suited for enforcing access control decisions on fixed users, they loose their effectiveness when users employing mobile computing devices are not fixed in space and are moving from a secure locale to an insecure one, or vice versa. Issues of location as a context parameter for access control have been addressed by a number of researchers but definition of rich spatial constraints which effectively capture semantics and relationship of physical and virtual (e.g. membership to an IP group) locales is still missing. The inclusion of multiple constraints (temporal and spatial) to the access control policy exposes the need to be able to compose a policy which is verifiable for consistency and structural integrity. Further, the access control policy is expected to evolve over time and inclusion of new constraints, permissions or user rights may conflict with the existing ones. In this regard, we draw upon techniques developed for software engineering and use them for policy specification modeling and conflict resolution. The first contribution in this paper is the development of the Generalized Spatio-Temporal Role Based Access Control (GST-RBAC) model, by proposing a formal framework for composition of complex spatial constraints exploiting topological relationship between physical and virtual locales. Spatial constraints are defined for spatial role enabling, spatial user-role assignment, spatial role-permission assignment and spatial activation of roles. The notion of spatial separation of duty is also developed whereby a user is not permitted to activate two roles simultaneously if the roles are being activated from specific locales. Another feature of the proposed GST-RBAC is the spatial role hierarchy, which allows inheritance of permissions between roles, contingent upon roles being activated from predefined locales. The second contribution in this paper is GST-RBAC policy specification framework using light weight formal modeling language, Alloy and, analysis of access control policy model using the accompanying constraint analyzer. In addition, for consistent evolution of access control policy, the policy administrator can specify additional policy fragments in the policy model and can verify consistency of the overall policy for conflict free composition of the actual policy.