Practical user obligation systems that affect and depend on authorizations




De Barros Costa Rego Amazonas Pontual, Murillo

Journal Title

Journal ISSN

Volume Title



Many authorization systems include some notion of obligations. However, most of the prior works concentrate on policy specification and enforcement of system obligations. Little attention has been given to user obligations that can depend on and affect authorizations. A user obligation is an action that a user must perform in some stipulated time window. As automated tools seek to provide increasing support for managing personnel and projects, there is an increasing need for individual tasks to be assigned and coordinated with authorization, and for supporting automated techniques. Thus, the management of user obligations that depend on and affect authorizations is a significant issue in the field of computer security. In this context, a user may incur an obligation that she is unauthorized to perform.

Prior work has introduced property of the authorization system state that ensures users will be authorized to fulfill their obligations in the appropriate times. We call this property accountability because users that fail to perform authorized obligations are accountable for their non-performance. Roughly state, a system state is accountable when each of the pending obligations in the current state is authorized no matter when all the other obligations would be performed in their associated time interval.

Thus, accountability property can be viewed as an invariant that the system attempts to maintain. This invariant of the system ensures that if the users are diligent, then they will be authorized to fulfill their obligations. To this end, it may be necessary to prevent discretionary (non-obligatory) actions being performed if they would violate the accountability property. We achieve this by augmenting the reference monitor to deny actions that violate it. The prior work is inconclusive and purely theoretical in regards to the feasibility of maintaining accountability in practice. In addition, there are several technical challenges and issues in designing such systems which the prior work overlooked.

In this dissertation, we develop a collection of techniques and tools to address these issues. First, we study the scalability of our abstract obligation model. To this end, we present an instantiation of the abstract obligation model by using simplified versions of the Role-based Access Control (RBAC) and the Administrative Role-based Access Control (ARBAC) (i.e., mini-RBAC and mini-ARBAC) as its authorization system. Based on our empirical evaluations, we believe that our obligation model is efficient enough to be used in practice. Furthermore, in order to show the flexibility of our abstract model, we instantiate it with a simplified version of the HRU Access Control Matrix Model. We also compare the performance of these two instantiations through experiments.

Secondly, we enhance the usability of our obligation system by providing techniques that assist users to overcome authorization denials due to accountability violation. For this, we develop an approach based on an AI-planning tool that provides the user with an alternative plan of actions to achieve her goal. Our empirical results indicate that our tool can handle moderate sized problem instances.

Thirdly, we present techniques that provide administrators ways to overcome accountability violation. This is particularly useful when obligations are violated, users are reassigned to different divisions, or new projects or business functions are added.

Finally, we enrich our obligation model to support different kinds of obligations that occur in practice (viz., repetitive and cascading obligations). When one obligation incurs another obligation, we call this phenomenon the "cascading" of obligations. Repetitive obligations are obligations that repeat after some predefined time. We provide techniques to decide the accountability property efficiently in their presence. Our experimental results show that accountability can be decided efficiently in presence of restricted versions of these kinds of obligations.



Access Control, Accountability, Obligations, Policy, Security



Computer Science