A Policy Model and Framework for Context-Aware Access Control to Information Resources

In today’s dynamic ICT environments, the ability to control users’ access to information resources and services becomes ever important. On the one hand, it should adapt to the users’ changing needs; on the other hand, it should not be compromised. Therefore, it is essential to have a flexible specification of access control polices, incorporating dynamically changing context information. The basic role-based access control (RBAC) approach has been the most widely used access control approach and it typically evaluates access permissions through roles assigned to users who are requesting access to resources. However, it does not provide adequate functionality to incorporate and adapt to context information which could have an impact on access decisions in context-aware environments. Such environments need an access control approach with both dynamic associations of user-role and role-permission capabilities. Towards this end, this paper introduces a policy framework for context-aware access control (CAAC) applications that extends the RBAC approach with context information. The framework uses the relevant context information that reflects the dynamically changing conditions of the environments to specify the CAAC policies: the context-aware user-role and role-permission assignment policies. We first present a formal policy model for our framework, specifying CAAC policies. Using this model, we then introduce a policy ontology for modelling CAAC policies and a policy enforcement architecture which supports access to resources according to the dynamically changing context information. In addition, we evaluate our policy ontology model and framework by considering (i) the completeness of the ontology concepts, specifying different context-aware user-role and rolepermission assignment policies from the healthcare scenarios; (ii) the correctness and consistency of the ontology semantics, assessing the core and domain-specific ontologies through the healthcare case study; and (iii) the performance of the framework by means of response time. The evaluation results demonstrate the feasibility of our framework and quantify the performance overhead of achieving context-aware access control to information resources.