Authorization Constraints Specification and Enforcement

Constraints are an important aspect of role-based access control (RBAC) and its different extensions. They are often regarded as one of the principal motivations behind these access control models. There are two important issues relating to constraints: their specification and their enforcement. However, the existing approaches cannot comprehensively support both of them. On the other hand, the early research effort mainly concentrates on separation of duty. In this paper, we introduce two novel authorization constraint specification schemes named prohibition constraint scheme and obligation constraint scheme respectively. Both of them can be used for both expressing and enforcing authorization constraints. These schemes are strongly bound to authorization entity set functions and relation functions that could be mapped to the functions that need to be developed in application systems, so they can provide the system developers a clear view about which functions should be developed in an authorization constraint system. Based on these functions, various constraint schemes can be easily defined. The security administrators can use these functions to create constraint schemes for their day-to-day operations. A constraint system could be scalable through defining new entity set functions and entity relation functions. This approach goes beyond the well known separation of duty constraints, and considers many aspects of entity relation constraints.