Location-based Metadata and Negotiation Protocols for LBAC in a One-to-Many Scenario

Location-based Access Control (LBAC) techniques allow the definition of users’ access rights based on location predicates that exploit the users’ physical location. However, evaluating the physical location of a user is a specialized activity that is unlikely to be performed by the same entity (e.g., organization or system) in charge of the access control decision. For this reason, location evaluation is usually assumed to be provided by specific Location Services (LSs) possibly coexisting in a same area and competing one with the others. In this paper, we address the issues related to the communication and negotiation between an Access Control Engine (ACE) enforcing access rules that include location-based predicates and multiple, functionally equivalent, LSs. We introduce metadata for the exchange of service level agreement attributes between the ACE and the LSs. Based on such metadata we develop different negotiation protocols, from a basic negotiation protocol that shows the core aspects of our proposal to an enhanced protocol that enriches the interaction by taking into account a cost/benefit analysis and some service requirements. Finally, we present an extension to the enhanced protocol to consider possible time validity constraints on access control decisions.