A TEMPORAL ACCESS-CONTROL MECHANISM FOR DATABASE-SYSTEMS

This paper presents a discretionary access control model in which auth orizations contain temporal intervals of validity. An authorization is automatically revoked when the associated temporal interval expires. The proposed model provides rules for the automatic derivation of new authorizations from those explicitly specified. Both positive and nega tive authorizations are supported. A formal definition of those concep ts is presented in the paper, together with the semantic interpretatio n of authorizations and derivation rules as clauses of a general logic program. Issues deriving from the presence of negative authorizations are discussed. We also allow negation in rules: it is possible to der ive new authorizations on the basis of the absence of other authorizat ions. The presence of this type of rules may lead to the generation of different sets of authorizations, depending on the evaluation order. An approach is presented, based on establishing an ordering among auth orizations and derivation rules, which guarantees a unique set of vali d authorizations. Moreover, we give an algorithm detecting whether suc h an ordering can be established for a given set of authorizations and rules. Administrative operations for adding, removing, or modifying a uthorizations and derivation rules are presented and efficiency issues related to these operations are also tackled in the paper. A material ization approach is proposed, allowing to efficiently perform access c ontrol.