A Policy Model and Framework for Context-Aware Access Control to Information Resources
This addresses the need for adaptable and secure access control in domains like healthcare, though it appears incremental as an extension of existing role-based models.
The paper tackles the problem of flexible access control in dynamic ICT environments by introducing a policy framework for context-aware access control that extends role-based models with dynamic user-role and role-permission associations, and evaluation results demonstrate feasibility and quantify performance overhead.
In today's dynamic ICT environments, the ability to control users' access to resources becomes ever important. On the one hand, it should adapt to the users' changing needs; on the other hand, it should not be compromised. Therefore, it is essential to have a flexible access control model, incorporating dynamically changing context information. Towards this end, this paper introduces a policy framework for context-aware access control (CAAC) applications that extends the role-based access control model with both dynamic associations of user-role and role-permission capabilities. We first present a formal model of CAAC policies for our framework. Using this model, we then introduce an ontology-based approach and a software prototype for modelling and enforcing CAAC policies. In addition, we evaluate our policy ontology model and framework by considering (i) the completeness of the ontology concepts, specifying different context-aware user-role and role-permission assignment policies from the healthcare scenarios; (ii) the correctness and consistency of the ontology semantics, assessing the core and domain-specific ontologies through the healthcare case study; and (iii) the performance of the framework by means of response time. The evaluation results demonstrate the feasibility of our framework and quantify the performance overhead of achieving context-aware access control to information resources.