Flexible access control policy specification with constraint logic programming

Abstract

We show how a range of role-based access control (RBAC) models may be usefully represented as constraint logic programs, executable logical specifications. The RBAC models that we define extend the "standard" RBAC models that are described by Sandhu et al., and enable security administrators to define a range of access policies that may include features, like denials of access and temporal authorizations, that are often useful in practice, but which are not widely supported in existing access control models. Representing access policies as constraint logic programs makes it possible to support certain policy options, constraint checks, and administrator queries that cannot be represented by using related methods (like logic programs). Representing an access control policy as a constraint logic program also enables access requests and constraint checks to be efficiently evaluated.