A Framework to Enforce Access Control, Usage Control and Obligations

In this paper, we define a core language to express access control, usage control and obligation policies and we specify a policy controller in charge of evaluating such policies. This policy language can be used to specify security requirements of many applications such as DRM (Digital Right Management), P2P or Web Service applications. It is used to express both contextual permissions and obligations. In our formalism, a permission is associated with two conditions: The “start condition” that must be true just when the access request is evaluated (access control) and the “ongoing condition” that must be always satisfied while the access is in progress (usage control). Moreover, we introduce the concept of cancellation ac­ tions to authorize users to cancel access in progress. Obligations are mandatory access that users must perform. An obligation is associated with two conditions as well: The “raise condition” to trigger the obligation and the “deadline condition” to determine when the obligation is violated. Moreover, we introduce the concept of non-persistent obligation where the raise condition must be true until the corre­ sponding request is received or the deadline expires, otherwise the corresponding access is no longer mandatory.