The ABC Core Model for Usage Control: Integrating Authorizations, oBligations, and Conditions

In this paper, we introduce the family of ABC (Authorizations, oBligations, and Conditions) models for usage control (UCON). We call these core models because they address the essence of usage control, leaving administration, delegation and other important but second-order issues for later work. The term usage control is a generalization of access control to cover obligations, conditions, continuity (ongoing controls) and mutability. Traditionally, access control has dealt only with authorization decisions on users’ access to target resources. Obligations are requirements that have to be fulfilled by obligation subjects for allowing access. Conditions are subject and object-independent environmental requirements that have to be satisfied for access. In today’s highly dynamic, distributed environment, obligations and conditions are also crucial decision factors for richer and finer controls on usage of digital resources. Although they have been discussed occasionally in recent literature, most authors have been motivated from specific target problems and thereby limited in their approaches. The ABC model integrates these diverse concepts in a unified framework. Traditional authorization decisions are generally made at the time of requests but hardly recognize ongoing controls for relatively long-lived access or for immediate revocation. Moreover, mutability issues that deal with updates on related subject or object attributes as a consequence of access have not been systematically studied. Unlike other studies that have targeted on specific problems or issues, the ABC model seeks to enrich and refine the access control discipline in its definition and scope. The ABC model covers traditional access controls such as mandatory, discretionary and role-based access control. Digital rights management and other modern access controls are also covered within the model. We believe our ABC core model for UCON lays the foundation for next generation access controls that are required for today’s real world information and systems security. This paper articulates the core of this new area of UCON and develops several detailed models.