Context-based access control for ubiquitous service provisioning

Pervasive user mobility, wireless connectivity and the widespread diffusion of portable devices raise new challenges for ubiquitous service provisioning. In particular, mobility of users/devices causes frequent and unpredictable changes in physical user location and in consequently available resources and services. Users can also change portable access devices, with different capabilities, even at runtime and during the same service session, thus forcing us to consider very dynamic aspects even due to client heterogeneity. Access control to resources is crucial to leverage the provision of ubiquitous services and calls for novel solutions based on various context information, e.g., user/device location, device properties, user needs, local resource visibility. This work presents a novel access control model built upon the concept of context as the first-class design principle to rule access to resources. As key features, this model allows to associate access control permissions with contexts where users operate and users acquire/lose their permissions when entering/leaving a specific context. Unlike traditional access control solutions where user identity/role triggers policy evaluation when requesting resource access, this model exploits the user context to fully determine the set of available permissions. In addition, the proposed model allows to express context-based access control policies at a high level of abstraction cleanly separate from service logic implementation, thus promoting dynamic policy modification with no impact on the service code. The paper shows the implementation of the proposed model in the UbiCOSM framework and presents a mobile office service provisioning scenario.