Failure Feedback for User Obligation Systems

Date

2010-06

Authors

Pontual, Murillo
Irwin, Keith
Chowdhury, Omar
Winsborough, William H.
Yu, Ting

Journal Title

Journal ISSN

Volume Title

Publisher

UTSA Department of Computer Science

Abstract

In recent years, several researchers have proposed techniques for providing users with assistance in understanding and overcoming authorization denials. The incorporation of environmental factors into authorization decisions has made this particularly important and challenging. An environmental factor that has not previously been considered in this effort to provide such assistance to users arises in systems where obligations can depend on and affect authorizations. In these systems, it is desirable to ensure that users will have the authorizations they require to fulfill their obligations, and prior work has proposed denying requests to perform non-obligatory actions that would cause this property to become violated, whether the violation is a direct result of the requested action or due to obligations that would be incurred as a result of it. Because of privacy concerns, as well as the intricate interactions between actions and pending obligations, the current work focuses on helping users find means of overcoming their denials, rather than focusing on explanation of the cause for denial. We show that in general this problem is PSPACE-hard. We then develop an approach based on an AI-planning tool and evaluate its effectiveness empirically. We find that this tool can often be quite helpful in medium sized problem instances, particularly when the number of steps that must be taken to enable the desired action is relatively small.

Description

Keywords

security, theory, obligations, RBAC, policy, authorization systems, accountability

Citation

Department

Computer Science