The Research In Role-Based Constraint With Spatial Characteristics

Securing access to data in location-based services and mobile applications pose interesting security requirements against spatially aware access control systems.In particular,the permissions assigned to users depend on their physical positions in a reference space.However,traditional access control model does not specify these spatial requirements.To deal with the requirements listed above,an access control model with spatial capabilities is needed.Since in location-aware applications users are often grouped in distinct categories,RBAC models represent a reasonable choice.Under spayial environment,the permissions assigned to users depend on their position in a reference space;users often belong to well defined categories;objects to which permissions must be granted are located in that space;access control policies must grant permissions based on object locations and user positions.It is necessary to study RBAC further.In this paper,we extend the existing RBAC model and propose the Spatial-RBAC model that utilizes spatial and location-based information in security policy definitions.Based on PostgreSQL,we extend the existing RBAC model and propose the Spatial-RBAC model that utilizes spatial and location-based information in security policy definitions,in order to strengthen the capability of safety expression for RBAC with spatial characters,optimize the theory of secure DBMS and afford the theory to build the stricter system for bank,bond and military.Our contributions in this paper are as follows.(1) According to the analysis of the location feature of a spatial object,combining the necessity of spatial constraints and the non-conflict condition of spatial constraints with the satisfiability of spatial constraints sets and relevance between the different classes of constraints,the constraints with spatial characters are divided into three different classes:the constraints on spatial region,spatial separation of duty constraint and constraints on cardinality of spatial role activation.We also formalize all the constraints with spatial characters.(2) There are often multiple Mutually Exclusive Spatial Roles(MESR) constraints that can enforce the same Spatial Separation of Duty policy(SSoD). Although the different MESR constraints can enforce the same effect on the same session,we have found that the different MESR constraints are varying greatly in the enforcement efficiency.The more precise the MESR sets are defined for enforcing an SSoD policy,the less overhead the system is suffered.In this paper,we argue that enforcement of SSoD policies is realized by specifying minimal MESR constraints. By comparing the different MESR constraints which can enforce the same SSoD,we conclude the minimal MESR constraints can avoid redundant restrictiveness effectively and enforce the SSoD policy precisely.We also present an algorithm that generates all minimal MESR constraints that are precise for enforcing one SSoD policy.(3) According to conflict set of users,conflict set of roles and conflict set of permissions,constraints base are constructed.(4) When a session is established in a spatial region by users,the related constraints concern on this session will be triggered and control the session process during its life automatically.On-When-Then-Else authorization rules(or enhanced ECA rules) are used for enforcing RBAC with spatial characteristics.We show the mapping between the basic elements in RBAC with spatial characteristics and the OWTE rule specification.We establish OWTE rules as an enforcement mechanism for the realization of role-based constraint with spatial characteristics at different granularities.(5) We have proposed a system schema that performs database access control base on spatial role according to the spatial DBMS PostgreSQL.The schema embedded the access control function into an access agent program of the server to control user's access to database resource with a high degree of granularity.The system consists of the privilege management subsystem and the access agent subsystem,which improves the security of PostgreSQL.