Specification of Conditions

Conditions specify the type-specific policies under which an operation can be performed on an object. A condition is interpreted according to its type. Conditions can be categorized as generic or specific. Generic conditions are evaluated by the access control model; specific conditions are application-dependent and usually are evaluated by the application. These are several of the more useful generic conditions [1].

• time Time periods for which access is granted.
• location Location of the principal. Authorization is granted to the principals residing in specific hosts or domains.
• message protection Required confidentiality/integrity message protection. This condition specifies a mechanism, or a set of mechanisms to be used in confidentiality/integrity message protection.
• privilege constraints

  Specifies well-formed transactions and separation of duty constraints. For more details see Section 8.

• multi-level security constraints

  Specifies mandatory confidentiality and integrity constraints. For more information see Section 9.

• payment Specifies currency and amount that should be paid prior access to an object will be granted.
• quota Specifies a currency and a limit. It limits the quantity of a resource that can be consumed or obtained.
• strength of authentication Specifies the authentication mechanism or set of suitable mechanisms, for authentication.
• trust constraints

  Specifies restrictions placed on security credentials. For more information see Section 6.

• attributes of subjects

  Defines a set of attributes that must be possessed by subjects in order to get access to the object, e.g. security label.

If generic conditions are not sufficient for expressing application-specific security policies, applications specify their own conditions. Anything that can be expressed as alphanumeric string can be a condition. The application must provide evaluation rules for the application-specific conditions.