7. Resultados
7.1 Factores que afectan la convivencia ciudadana
In this section, we provide formal proof for the equivalence of the original model and its ABACα
configuration. We only show the formal proof for RBAC0 here. The proofs for other models can
be similarly developed. To show equivalence, we adopt the state-matching reduction method [139] which was developed to formally compare the expressive power of various access control models. Before we formally present the proof, we define the following schemes.
Scheme RBAC0.
user-role assignment and thus the administrative model for RBAC0. In this dissertation, we model
the changes caused by user activating and deactivating their roles in a session. Thus, the scheme for RBAC0is formally defined as follows.
• State Γ. They are summarized as the following well-known sets of RBAC0: U (users),
R (roles), URA (user-role assignment), S (sessions), SRA (session-role assignment), USA (user-session assignment), PRA (permission-role assignment), OP (operations) and O (ob- jects).
• State transitionΨ. The state can only change by users creating and deleting sessions, and activating and deactivating roles in a session. The precondition for activating roles is that those roles are assigned to the user, i.e., there exists appropriate user-role assignment. For- mally, the possible operations, their preconditions and their effects are defined as follows.
CreateSession(u, s)
Precondition: None
Effect: S0 =S∪ {s}, U SA0 =U SA∪ {(u, s)} DeleteSession(u, s)
Precondition: (u, s)∈U SA
Effect: ∀(s, r)∈SRA, SRA0 =SRA\{(s, r)}, S0 =S\{s}, U SA0 =U SA\{(u, s)}
ActivateRole(u, s, r)
Precondition: (u, s)∈U SA∧(u, r)∈U RA
Effect: SRA0 =SRA∪ {(s, r)}
DeactivateRole(u, s, r)
Precondition: (u, s)∈U SA∧(s, r)∈SRA
Effect: SRA0 =SRA\{(s, r)}
• QueryQ. On each state in this scheme, the query is whether their exists a session s with role r. We write a query as r. Other more general queries can be similarly considered.
• Entailment relation`. It is defined as follows for a stateγ and query r.
– γ`r = true iff∃s.(s, r)∈SRA
Scheme ABAC-RBAC0. The ABAC instance for RBAC0is shown in table 3.8. It is expressed
in the notation of [139] as follows.
• StateΓ. They are the basic sets and functions shown in table 3.8.
• State transition Ψ. The only state changes are a user creating and deleting a subject or modifying subject attributes. Formally, these are defined as follows.
CreateSub(u, s,(srole, val))
Precondition: ConstrSub(u, s, (srole, val))= true
Effect: S0= S∪{s}, srole(s) = val
DeleteSub(u, s)
Precondition: SubCreator(s) =u
Effect: S0= S\{s}
M odif ySubAttr(u, s,(srole, val))
Precondition: ConstrSub(u, s, (srole, val))= true
Effect: srole(s) = val
• QueryQ. On each state in this scheme, the query is whether their exists a session s with r∈
srole(s). We continue to write a query as r.
• Entailment relation`. It is defined as:
– γ`r = true if r∈srole(s)
– γ`r = false if r6∈srole(s)
Theorem 1. There exists a state-matching reduction from RBAC0to ABAC-RBAC0.
Proof. By construction. We present the mappingsReduceStatein algorithm 1 andReduceT ransition
Algorithm 1ReduceStatefrom RBAC0 state ABAC-RBAC0 state
1: Input:RBAC0state
2: Output: ABAC-RBAC0state
3: Given any RBAC0state: URBAC0, SRBAC0, ORBAC0, R, URA, SRA, USA, PRA. 4: We have the following sets for ABAC-RBAC0:
5: UABAC−RBAC0= URBAC0, SABAC−RBAC0= SRBAC0, OABAC−RBAC0= ORBAC0
6: UA = {urole}, SA = {srole}, OA = {readrole, writerole} 7: For each (u, s)∈USA, SubCreator(s) = u.
8: SCOPEurole= SCOPEsrole= R. 9: attType(urole) =attType(srole) = set
10: For each subject s∈SABAC−RBAC0, srole(s) = { r|(s, r)∈SRA}
11: For each user u∈UABAC−RBAC0, urole(u) = {r|(u, r)∈URA}
12: For each obj∈OABAC−RBAC0, readrole(obj) = { r|(r, (read, obj))∈PRA} 13: For each obj∈OABAC−RBAC0, writerole(obj) = { r|(r, (write, obj))∈PRA}
Algorithm 2ReduceT ransitionfrom RBAC0transition rule to ABAC-RBAC0 transition rule
1: Input:Transition Rule in RBAC0
2: Output: Transition rule in ABAC-RBAC0
3: CreateSession(u, s) is mapped to CreateSubject(u, s, {(srole,∅)})
4: ActivateRole(u, s, r) is mapped to ModifySubAttr(u, s, {(srole,val)}) where the proposed valuevalis srole(s)∪
{r} and the constraints is: val∈urole(u)∧SubCreator(s) = u.
5: DeactivateRole(u, s, r) is mapped to ModifySubAttr(u, s, {(srole,val)}) where the proposed valuevalis srole(s)
\{r} and the constraints is: SubCreator(s) = u.
6: DeleteSession(u, s) is mapped to DeleteSubject(u,s) and the constraints is: SubCreator(s) = u.
query in RBAC0: (s, r)∈SRA is mapped to a corresponding query: r∈srole(s) in ABAC-RBAC0.
We show that they satisfy the properties for a state-matching reduction.
Given any initial state in RBAC asγRBAC0, the corresponding state in ABAC isγABAC−RBAC0.
• If there is no transition. Given any state γRBAC0 and query qRBAC0 in RBAC0 scheme, ifγRBAC0 `qRBAC0 = true, then MAP(γRBAC0)`MAP(qRBAC0) = true, where MAP is the process of mapping state and query in RBAC0scheme to ABAC-RBAC0scheme. The reason
is that for any subject s and role r, if (s, r)∈ SRA, then srole(s) = { r| (s, r) ∈SRA} and thus, r∈srole(s) = true. Similarly, ifγRBAC0 `qRBAC0 = false, i.e., (s, r)6∈SRA, then r 6∈ srole(s). Thus,γRBAC0 `qRBAC0 =γABAC−RBAC0 `qABAC−RBAC0.
• Assume that after k transitions (0≤k≤ ∞) from the initial state , the two statesγRBAC0 0 and γABAC−RBAC0
0 is equivalent which means that all queriesγ 0
RBAC0 `qRBAC0 =γ 0
ABAC−RBAC0 ` qABAC−RBAC0. We want to prove that at state k+1, the result for all queries are also equivalent. There are the following possible transitions and we consider them one by one:
– CreateSession(u, s). After this transition, inγRBAC0 0, USA0= USA∪{(u, s)}. Corre- spondingly, the operation in ABAC-RBAC0scheme isCreateSubject(u, s,{(srole,∅)}).
InγABAC−RBAC0 0, S0 = S∪{s} and SubCreator(s) =u, where (u, s) ∈USA. The only change in query set is that new queries (s, r) where r∈R could be evaluated against the new state. For any r∈R, in RBAC0 ,γRBAC0 `(s, r) = false and in ABAC-RBAC0 scheme,M AP(γABAC−RBAC0)`(s, r) = false.
– DeleteSession(u, s). After this transition, in γRBAC0 0, ∀ (s,r) ∈SRA, SRA0= SRA \
{(s,r)}, and USA0 = USA \{(u, s)}. Thus, all queries regarding session s will return false. Queries on other sessions will not change compared with the previous state. Correspondingly, the operation in ABAC-RBAC0 scheme isDeleteSubject(u, s}). In
γABAC−RBAC0 0, S
0 = S\{s}. This transition does not affect existing queries regarding
other subjects.
– AcivateRole(u, s, r). The corresponding transition in ABAC-RBAC0isM odif ySubject(u,
s, {(srole,val)}), where val = srole(s)∪{r}. There are two situations after this transi- tion:
∗ The request is not authorized because the precondition is not valid, then the state does not change. The precondition inM odif ySubjectis also false. Thus,γABAC−RBAC00 is the same asγABAC−RBAC0. The result for all queries are also the same as previ- ous state.
∗ In the next state, SRA0= SRA∪{(s, r)}. The only change to all queries is that the queryγRBAC0
0 `(s,r ) = true. In ABAC-RBAC0 scheme, srole(s) = val, where val = srole(s)∪{r}. Thus, the only change to all queries is that r∈srole(s) = true.
– DeactivateRole(u, s, r). Similarly, there are two possibilities:
∗ The state does not change because the precondition is not satisfied. The results for all queries do not change compared with the state at transition k.
Algorithm 3ReduceStatefrom ABAC-RBAC0state to RBAC0state
1: Input:ABAC-RBAC0state 2: Output: RBAC0state
3: Given any ABAC-RBAC0state: 4: We have the following sets for RBAC0:
5: URBAC0 = UABAC−RBAC0, SRABC0 = SABAC−RBAC0, ORBAC0= OABAC−RBAC0
6: RRBAC0= SCOPEurole
7: URA = {(u, r)|r∈urole(u)} 8: SRA = {(s, r)|r∈srole(s)} 9: USA = {(u, s)|SubCreator(s) = u}
10: PRA = {((read, obj), r)|r∈readrole(obj)}∪{((write, obj), r)|r∈writerole(obj)}
Algorithm 4ReduceT ransitionfrom ABAC-RBAC0 to RBAC0transition rule
1: Input:Transition rules in RBAC0
2: Output: Transition rules in ABAC-RBAC0
3: CreateSubject(u, s, {(srole,∅)}) is mapped to CreateSession(u, s)
4: ModifySubAttr(u, s, {(srole,val)}) is mapped to a sequence of ActivateRole(u, s, r) and DeactivateRole(u, s, r) operations. For all roles r∈(val - srole), ActivateRole(u,s,r) and for all roles r∈(srole- val), DeactivateRole(u, s, r).
5: DeleteSubject(u, s) is mapped to DeleteSession(u, s).
queryγRBAC0 0 `(s, r) = false. In ABAC-RBAC0 scheme, srole(s) = val, where val
= srole(s)\{r}. Thus, the only change to all queries is that r∈srole(s) = false.
In summary, the mapping is a state matching reduction from RBAC0 to ABAC-RBAC0.
Theorem 2. There exists a state-matching reduction from ABAC-RBAC0 to RBAC0.
Proof. By construction. We present the mappingsReduceStatein algorithm 3 andReduceT ransition
in in algorithm 4 from ABAC-RBAC0 scheme’s state and transition rule to RBAC0 scheme’s state
and transition rule. Similarly, the query in ABAC-RBAC0scheme r is mapped to query r in RBAC0
scheme.
We show that the reduction shown above is a state matching reduction.
• No transition. Similar as in the proof for theorem 1, given any state in ABAC-RBAC0, there
exists a corresponding state in RBAC0such that all queries are with the same result.
• We assume that after k transition, the statesγABAC−RBAC0 andγRBAC0 are equivalent. We want to prove that after the next transition, the states are also equivalent. There are the following possible transitions and we consider them one by one.
– CreateSubejct(u, s). Similar as the proof in theorem 1.
– DeleteSubejct(u, s). Similar as the proof in theorem 1.
– M idif ySubject(u, s,{(srole, val)}). There are two possibilities after this transition:
∗ The request is not authorized and the state stays the same. The proof thus is the same as those in theorem 1.
∗ The request is authorized, then srole(s) = val in γABAC−RBAC0
0. After the corre- sponding transition in RBAC0 scheme, the role of session s is equal to ((val \
(srole(s) - val))∪(val - srole(s)) (the current role excludes the deactivated role and plus the newly activated roles) which is val. Thus, in the next state, all queries are with the same result.
In summary, the mapping is a state matching reduction.
Theorem 3. The RBAC0 model and ABAC instance of RBAC0 (ABAC-RBAC0) are equivalent in
expressive power.