Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

CHAPTER 23 Policies, Access Control, and Formal Methods 581 access control. In context-based access control, in addition to permissions, information concerning the context is taken into account by the access control system in order to take decisions. The first such extension deals with temporal contextual information, whereas the second extension deals with location information. Another important extension, which we also survey here, has been proposed to support fine-grained access to PII. T-RBAC. T-RBAC [18] constrains the use of per- missions assigned to roles to specific temporal periods. Therefore, even though a user has the permission to use a role, and thus to use all the permissions assigned to this role, the user may only use the role in specified temporal intervals, which can also be periodic (e.g., "every Tuesday from 10 A . M . to 5 P . M ."). T-RBAC extends, thus RBAC, with the association of temporal (possibly periodic) intervals with roles. In T-RBAC, roles can be in two mutually exclusive states: active organizations for example require that sensitive information only be accessed on the organiza- tion premises and possibly in secure locations. As such access to certain data is allowed to autho- rized users, provided however that these users are in specific locations when accessing the data. GEO-RBAC directly addresses such requirement. It is based on the notion of a spatial role, that is, a geographically bounded organizational func- tion. The boundary of a role is defined as a geo- graphical feature, such as a road, a city or a hospital, and specifies the spatial extent in which the user has to be located in order to use the role. Besides a physical position obtained from a given mobile terminal such as a GPS-based vehicle tracking device or a cellular phone, users are also assigned a logical and device independent posi- tion, representing the feature in which the user is located. Logical positions can be computed from real positions by using specific mapping functions