Abstract
Many papers have already provided models to formally specify security policies. In this paper, security policies are modeled using deontic concepts of permission and obligation. Permission rules are used to specify access control policies, while obligation rules are useful to specify other security requirements corresponding to usage control policies as the availability of information in its allotted time. However, when both permission and obligation concepts are used to express security policies, several different types of conflict can be raised and should be detected and managed. We are interested in this work in managing conflicts between obligations with deadlines and permissions. Thus, we first begin by formally defining the conflicting situations using the situation calculus. Afterwards, we provide an algorithm for searching a plan of actions, when it exists, which fulfills all the active obligations in a given situation in their deadlines with respect to the permission rules. The length of the plan is set in advance and can be calculated in the case where the sets of actions and fluents are finite to ensure the decidability of the solution search. Furthermore, in the plan search, the choice of the execution time of the elected actions obeys to equations and inequalities which need to be solved. For this purpose, we need a component allowing these equations and inequalities resolution. To illustrate our approach, we take an example inspired from existing laws in hospitals regulating deadlines for completion of patient medical records. The example is formally specified in our language and implemented in ECRC Common Logic Programming System ECLIPSE 3.5.2, which is equipped with Simplex algorithm for solving linear equations and inequalities over the reals. In the implementation, we show how the plan search can be optimized through the use of some heuristics and make some evaluation tests.
Highlights
A security policy is often defined as permission, prohibition, obligation, and exemption rules
When the security policy includes user obligation, these obligations should be associated with deadlines
The situation calculus is extended with fluents Perm(α) and Ob(α < d), where α is an action of A and d is a fluent of F
Summary
A security policy is often defined as permission, prohibition, obligation, and exemption rules. Benferhat et al [7] presents an approach based on possibilistic logic to deal with conflicts in prioritized security policies There is another type of conflict which is not managed yet, namely, the conflict between obligations with deadlines. Any latency on writing patient record could affect the information availability time for each patient which negatively impacts the quality of provided care This has led some hospitals to specify sanctions when these deadlines are not respected, see for example the Ontario regulations [11]. We describe the impact of availability of medical information in expected time on the quality of patient care, and we give an example of obligations with deadline concerning completion of medical records. We give some examples of rules concerning the deadline assigned to doctors to complete certain elements of patient’s records
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
