A research challenge in modeling access control policies: Modeling recommendations

Security Policies should be well-defined in any serious security study and should capture all the requirements of the targeted system. However, while current and emergent applications become more and more complex, most of the existing security policies and models only consider a yes/no response to the access requests. Consequently, modeling, formalizing and implementing permissions, obligations and prohibitions do not cover the richness of all the possible scenarios. In fact, many applications have access rules with the recommendation access modality. In this paper we focus on the problem of security policies formalization. The aim is to provide a generic domain- independent approach. In order to achieve these goals, we have chosen a logic-based approach that enhances the Deontic logic (the logic of permissions, obligations and prohibitions) with the recommendation and inadvisable access modalities. We thus present a new logical framework including a Recommendation Specification Language (RSL) as well as the necessary axiomatic to derive rules and to reason (e.g., query, verify) on the security policy. Our logical framework can thus be used by security administrators to automatically derive consequences of their policies.