Database & Storage Security

Professor Dr. Mohammad Abu Yousuf

[email protected]

1
Geospatial Database Security

2
 Introduction

• Introduction to Geospatial Database

• Geospatial data models
– Vector data
– Raster data
• Geospatial Access Control Models
– Geospatial Data Authorization Model
– Geospatial Role Based Access Control
– Location based Access Control
– Geospatial Web based Access Control

3
 Real life examples

• A passenger bus /car fallen in

accident may need to transmit
message to nearby hospital for
medical help.
• The hospital may need to
identify his location to bring
him to the hospital

4
 Real life examples

• A rental microbus has come to

Dhaka from Dinajpur to carry its
passengers.
• On return the driver may search
for passengers willing to travel
from Dhaka to Dinajpur.

5
 Real life examples

• A shop owner wants to attract its

potential customers who are
travelling/residing inside Dhaka
city.
• Big discount for a limited period.

6
 Real life examples

• A family travelling in a car searches a restaurant

for dinner.

7
 Introduction to Geospatial Database

• Geospatial data
• Spatial data, also known as geospatial data, is
information about a physical object that can be
represented by numerical values in a geographic
coordinate system. 

• Generally speaking, spatial data represents the location,

size and shape of an object on planet Earth such as a
building, lake, mountain or township.

8
 Introduction to Geospatial Database

• Geospatial data
– There are many resources that has location based information
(represented by longitude and latitude) which are useful for us.
– Availability of these resources to the right person through mobile
Internet has become a new type of service that is growing day by
day.
– Map, aerial & satellite images are associated with location
information represented by longitude and latitude:
• River, school, park, road
• rainfall, vegetation index, population, environmental pollution
index etc. 9
 Introduction to Geospatial Database

• Geospatial data
– Geospatial data can be collected, analyzed, manipulated,
and integrated and visualized with the help of various GIS
software and Internet Map Server.
– Geospatial data clearinghouse: It captures, creates,
processes and disseminates spatial information with the help
of various software to provide an information service.

10
 Introduction to Geospatial Database

• GIS or other specialized software applications can be

used to access, visualize, manipulate and analyze
geospatial data.
• Microsoft introduced two spatial data types with
SQL Server 2008:
geometry and
geography.

11
 Introduction to Geospatial Database

• Geometry types are represented as points on a planar, or

flat-earth, surface. The geometry type represents data in a
Euclidean (flat) coordinate system. An example would be
(5,2) where the first number represents that point's
position on the horizontal (x) axis and the second number
represents the point's position on the vertical (y) axis.

• Geography spatial data types, on the other hand, are

represented as latitudinal and longitudinal degrees, as on
Earth or other earth-like surfaces.  The geography type
represents data in a round-earth coordinate system.

12
• Latitude and longitude are angles that uniquely define
points on a sphere.

13
 Introduction to Geospatial Database

Evolution of location based information products:

• The proliferation of the Internet
• The proliferation of mobile network
• Advancement of smartphone (high capacity processor)
• Development of various GIS, GPS and other Applications that
work in an integrated way to provide the service.
– GIS(ArcView, ArcInfo etc)
– GPS
– Google Earth
– Google Map 14
 Introduction to Geospatial Database

Advantage:
• Citizen service (location based)
• Decision making:
– business facilities and site selection,
– demographic analyses,
– route selection, zoning,
– planning, conservation, natural resource extraction,
– natural and man-made damage assessment, and
– national security.

15
 Introduction to Geospatial Database

Disadvantages:
• Serious threats to security and privacy:
– water distribution, telecommunication, bridges, tunnels,
and nuclear plants,
– These may cause a large scale socio-economic impact in
case of failure.
• Positional information of a person may lead to privacy
threat
• Sensitive activities of a certain location may need to
be secrete.
16
 Geospatial Web Service (GWS)

• Geospatial web services (GWS) help users find,

access, and sometimes manipulate data of interest on
the web dynamically from a distributed network.
• GWS are designed to collect data once and update or
edit it in real time.

17
 Geospatial Web technology

• easily shares and integrates the geospatial data and

applications on demand.
• allows to easily create geospatial “mash-ups” that are
light-weight applications that help in integrating diverse
location based information.
• The geospatial Web Services can be invoked using a set
of XML-based standard programs and can be embedded
into applications integrating many other kinds of data.
• Sharing of these Web services should be done in such a
way that it preserves the security and privacy
specifications of their respective 18
 Introduction to Geospatial Database

How to fight with the challenge:

• Policy related to Security and Privacy of both subjects and
objects.
• These policies for secure sharing should be properly
managed by another policy so that the right policy can be
efficiently located and policy inferences can be easily
performed.

19
Access Control for Geospatial Database

• Access control models typically consider the

characteristics of the geospatial data (Object) and the
location of the user (Subject).

• This is because, the security and privacy policies are

often based on the Object’s contents and the Subject’s
location.

20
Access Control for Geospatial Database

Access control for this data is based on

• its geospatial location,
• its content and context,
• the credentials and characteristics of the users
requesting access
• the time at which the data is captured and requested

21
 Geospatial Data Models
• A data model in geographic information systems is a
mathematical construct for representing geographic
objects or surfaces as data.

• Vector and raster data are the two primary data types
used in GIS. Both vector and raster data have spatial
referencing systems. These are latitudes and longitudes
that pinpoint positions on Earth.

• For example, the vector data model represents

geography as collections of points, lines, and polygons;
• the raster data model represent geography as cell
matrices that store numeric values; 22
Geospatial Data Models

23
 Geospatial Data Models

Vector data & Raster data

Vector Raster

Point

Line
Zone of cells
Polygon
24
 Geospatial Data Models

Vector Spatial Data Types

• Vector data is not made up of a grid of pixels. Instead, vector
graphics are comprised of vertices and paths.
• The three basic symbol types for vector data are points, lines and
polygons (areas). 

Raster Spatial Data Types

• Raster data is made up of pixels (also referred to as grid cells).
They are usually regularly-spaced and square but they don’t have
to be. Rasters often look pixelated because each pixel is associated
with a value or class.
• For example:
• Each pixel value in a digital photograph is associated with a red,
green and blue value. 25
 Vector data Model

• Represents two components:

– Spatial Attributes:
• Indicates the geometric shape
– points, lines and polygons
– Points are represented as pairs of latitude and longitude
coordinates, lines as strings of coordinate pairs and
polygons as lines that form closed loops.
• Records data about location, topology and geometry
of geospatial data.
– Water body, zoning area, forest area, all school etc.
– Non-spatial Attributes (Thematic attribute):
• Annual rainfall, vegetation type, zoning type, land
use, census tracts etc.
26
 Vector data Model

• Thematic layer:
– A thematic layer is a collection of geometries having
same attribute sets.
• One theme/layer indicates the schools on the map.
• Another layer indicates water bodies in a map.

27
 Raster data model

• Spatial data (satellite images, elevation maps,

digitized maps etc.) is represented as a grid of
columns and rows, i.e. as a matrix of cells (pixels).

• Each layer of grid cells records a separate attribute.

28
 Raster data model

• Each cell carries the non-spatial data (rainfall,

vegetation type)
• Spatial coordinates are not usually stored for each
cell
• Cells are represented with the ordering of the pixels.
• Each layer contains information about the number of
column and rows and the geographic location of the
origin.

29
 Raster data model
• A grid defines geographic space as a matrix of identically-sized
square cells. Each cell holds a numeric value that measures a
geographic attribute (like elevation) for that unit of space.

30
 The grid data structure

• Grid size is defined by extent, spacing and no data

value information
o Number of rows, number of column
o Cell sizes (X and Y)
o Top, left , bottom and right coordinates

• Grid values
o Real (floating decimal point)
o Integer (may have associated attribute table)

31
Definition of a Grid

Cell size

Number
of
rows

NODATA cell

(X,Y)
Number of Columns

32
Points as Cells

33
Line as a Sequence of Cells

34
Polygon as a Zone of Cells

35
NODATA Cells

36
Cell Networks

37
Grid Zones

38
 Floating Point Grids

Continuous data surfaces using floating point or decimal numbers

39
Value attribute table for categorical
(integer) grid data

Attributes of grid zones

40
Raster data model with layers

41
 Difference between Vector & Raster Data
• Raster data model • Vector data model
– location referenced by x,y
o location is referenced by a grid of
coordinates, which can be linked to
cells in a rectangular array (matrix)
form lines and polygons
o attribute is represented as a single – attributes referenced through
value for that cell unique ID number to tables
o much data comes in this form – much data comes in this form
• images from remote sensing • census data (tabular)
(LANDSAT, SPOT)
• scanned maps – best for features with discrete
• elevation data from USGS boundaries
o best for continuous features: • property lines
• elevation • political boundaries
• temperature • transportation
• soil type
• land use 42
 Geospatial Access Control Models

• Geospatial Data Authorization Model (image)

• Geospatial Role Based Access Control Model

• Location Based Access Control Model

• Geospatial Web Access Control

43
Geospatial Data Authorization Model (Image)

• In Geospatial web service, information that are

presented on images (maps) are delivered to the users
with the help of web technology and other image
processing Applications.

• This model presents an authorization process that allows

the right image information after processing goes to the
right hand.

44
Geospatial Data Authorization Model (Image)

45
Geospatial Data Authorization Model (Image)
• Geo-temporal policy that governs the access rights
of the geospatial subjects to the geospatial objects.
• Geospatial Role defined as per the Geo-temporal
policy.
• Geospatial Subject
• Geospatial Object
• Geospatial Permission
• Evaluation

46
 Geospatial Data Authorization Model
• Spatio-temporal policies(image):
– P1: All users(Subjects) can view 10 meter or lower resolution images
(Objects).
– P2: 1 meter resolution images of the parcel located in ”120 James Street,
Newark, New Jersey” can be accessed only by the current owner of this
parcel.
– P3: Only military personnel positioned in Afghanistan can zoom-in to 1
meter resolution images over Afghanistan captured after September 11,
2001.
– P4: The police officers positioned in Bergen County are allowed to access
1 meter resolution images of the nuclear power plant located at [-
81.37227, 28.54623].
47
 Geospatial Data Authorization Model

Security and privacy policy specifications:

• Geographic coverage (area or extent)
• Thematic content within the area
• Zoom level of a particular location
• Temporal nature of the objects.
• Location of the requester/ his role within the area etc.

48
 Geospatial Data Authorization Model
• Geotemporal Role:
– Are used to specify a set of subjects possessing credentials having
spatial and temporal properties indicating that each role is
associated with a certain region and temporal interval.
– Role changes depending on the user’s location and time.
– Roles are assigned to users depending on the context a user is in.
• A role “doctor” in Dhaka is different from a role “doctor” in
Khulna.
• A role ‘doctor’ in morning shift is different from a role of
‘doctor’ in the evening shift.

49
 Geospatial Data Authorization Model
• Geotemporal Role:
– Geospatial role expression re = (r, sc)
• Where r=traditional role as specified in RBAC
• Sc = a scene that is associated with geospatial and
temporal extents.
• Each sc can be organized as a hierarchy in its own
domain
– Incident domain may have scene like fire, flood, earthquake
etc.
– Shopping domain may have scene like mall, retail shop,
wholesale area, market etc.

50
 Geospatial Data Authorization Model

• Geotemporal Role:
– Geospatial role expression re = (r, sc)
– Each sc can be instantiated with a scene expression such as
» Sc = {label, lt, lg, h,w, [tb, te]}
» where label is a descriptive scene name, such as ”Dhaka
City”, ”mall” or ”fire,” and
» {lt, lg, h,w} denotes latitude, longitude, height and
width of a bounding box covering a geographic area of
the scene and
» [tb,te] denotes the temporal period of the scene.

51
 Geospatial Data Authorization Model

Geotemporal Role(Example):
– {“Police Officer”, “Dhaka City”} denotes any Police Officer at
any place inside Dhaka City,

– {“Police Officer”, “Motijheel PS”} denotes any Police Officer

whose location is at Motijheel Police Station Area.

– {“Police Officer”, “Motijheel PS”, “Morning Shift”} denotes

any Police Officer whose location is at Motijheel Police
Station Area and who is allowed to perform duties in the
morning shift.

52
 Geospatial Data Authorization Model
• Geotemporal Object:
– Each geotemporal object belongs to an object type.
– Attributes of object types:
• Unique identifier
• Type of geospatial object m , … ..}
30 , 2 00
• Longitude
80 , 7 0.
e r, 30.
• Latitude
3 05 ,Riv
• Height ge={
• Width
• Resolution
• Timestamp
• Thematic link to the data set associated with the object
– A geotemporal object is specified with a geotemporal object expression ge
that is a logical expression of object attributes and their values.
53
 Geospatial Data Authorization Model
• Geotemporal Object:
– Each geotemporal object belongs to an object type, which
can be organized into a object type hierarchy.

54
 Geospatial Data Authorization Model
• Geotemporal permissions:
– Viewing
– Copying
– Maintenance mode

55
 Geospatial Data Authorization Model

• Geotemporal permissions: Viewing

– zoom-in allows a user to view an image covering a certain

geographic area at a specific higher resolution level,
– overlay allows users to generate composite images from
multiple images ,
– animate allows a user to obtain a time series of images and
integrate them to show the changes in the images, and
– fly-by allows a user to traverse from one location to another
a multi-resolution browsing from low resolution images to
high resolution images, or vice versa.

56
 Geospatial Data Authorization Model
• Geotemporal permissions: Copying
– The copying modes, download and download-data, allow
source files to be downloaded.
– Viewing and copying are distinguished as separate privileges
with geospatial data.

57
 Geospatial Data Authorization Model

• Geotemporal permissions: Maintenance mode

– The maintenance modes include insert, delete, update and
compose.
– The users with compose privilege can create and insert
value-added images, using images in the database.

58
 Geospatial Data Authorization Model

• Geotemporal Authorization (Policy)

– An authorization is represented as a
• Authorization = {re, ge, privilege, period, sign}
• How a set of subjects represented by the role
expression (re) has an access privilege to an object or
a set of objects represented by geotemporal
expression (ge) during the period.
• The sign indicates allow or deny the privilege.

59
 Geospatial Data Authorization Model
• Geotemporal Authorization: Example
• Authorization = {re, ge, privilege, period, sign}
• re = {“Police Officer1”,Sc}, Sc={“Raman PS”, its location,
morning shift}
• re = {“Police Officer1”, “Ramna PS”, its location, morning
shift}
• ge = {“Ramna PS”, its location, Resolution, Timestamp,
Road network}

60
61
• Example of authorization

62
• These authorizations can be interpreted as follows:
• a1: specifies that John is allowed to access a region
centered at point (50,60) with width and height of 10 in
LANDSAT images, with a zoom-in level of up to 8, during
1 January 1999 and now.

63
 Geospatial Data Authorization Model
• Access Control Evaluation: Access Request
– Access request, r = {gtc, gto, p}
– where gtc is a geotemporal credential expression of the
user with the contextual information such as the
current location and time the user is situated in,
– gto is a geotemporal object expression that can include
a particular image type, a spatial area with certain
temporal footprint, and
– p is a permission type.

64
• ur1 states that John wants to view objects with identifier equal to 12.
• In ur2, Mary requests to identify the property information of a
specific rectangular region represented by (50,60,10,10) from images
of 1 meter resolution downloaded between 1 August 2001 and now.
65
 Geospatial Data Authorization Model
• Access Control Evaluation: processing evaluation
• Authorization Policy = {re, ge, privilege, period, sign}
• Access request, r = {gtc, gto, p}
– gtc is matched with re in the policy statement, and when the
spatial and temporal extents are included in the geotemporal
role extents, the role is activated.
– Then gto is matched with the authorized geotemporal
expression ge in the policy.
– The matching operations between the requested and policy
geotemporal extents include predicates to check the spatial and
temporal relationships such as containment, total and partial
overlap, meet, and no-overlap.
66
 Geospatial Data Authorization Model
• Access Control Evaluation: processing evaluation
• Authorization Policy = {re, ge, privilege, period, sign}
• Access request, r = {gtc, gto, p}
– When the geotemporal extent gto is contained, totally or
partially overlapping with the object’s geotemporal extents ge
in the authorization, and the requested permission matches
with the one in the authorization, the authorization is allowed.
– In case of partial overlap, only the overlapping area of the
object should be delivered, which requires post-processing of
the retrieved objects, such as cropping of images and
mosaicking of multiple cropped objects.

67
 Geospatial Role Based Access Control
(RBAC) Model: Introduction
• RBAC is centered on the notion of role.
• A role is a semantic construct which represents a job
function within an organization.
• RBAC standards consists of four basic set of elements:
– User: a human being or autonomous agent.
– Role: represents a function of a user within a community.
– Permission: an approval to perform an operation on one or more
objects.
– Session: When an user logs in, a session is established during
which the user activates some subsets of role that s/he is
assigned. 68
Geospatial Role Based Access Control
(RBAC) Model: Example

Some data in the Geospatial Database needs protection:

• Fish count update in the river.
• Pollution index update in an area.
• Patient information update in a hospital.

Some people are fixed for these responsibilities. So Role

based access control works well in such situation.

69
 Geospatial Role Based Access Control
(RBAC) Model : Example
A mobile Application for the personnel and patient of a
health care organization:
• Individuals are given a location aware terminal with
which they can request information service provided by
an Application Server.
• Functional roles of individuals:
– Doctor, Nurse, Patient, General Staff etc.
• Available services of users depends on their functional
role.
• Availability of roles and thus services depends on the
location of the user. 70
 Geospatial Role Based Access Control
(RBAC) Model : Example

A mobile Application for the personnel and patient of a

health care organization:
• A doctor may be allowed to request the record of a
patient only in the department she has been assigned to.
• A doctor is also a member of the personnel of the
organization and as such can be authorized to access
additional services when located within the boundaries of
the hospital.
• Here the users of the Application of the hospital have
different roles that are location dependent.

71
 Geospatial Role Based Access Control
(RBAC) Model

Role Based Access Control (RBAC)

• Access decisions are based on the roles that individual
user have as part of an organization’s policy.
• Roles are closely related to the concept of user groups
in the access control.
• Role brings together a set of users on one side and a
set of permissions on the other whereas user groups
typically defined as a set of users.

72
 Geospatial Role Based Access Control
(RBAC) Model

• Under Geo-RBAC, location aware applications

analyzes the map vector data and user’s positions
information to protect the information resources.
• Access policies under this model may include:
– P1: Only the environmental scientists currently making
observations in the river within the Padma River area can enter
the observed fish counts into the database.
– P2: A surveyor working on a street in Bhutergoli can change the
data on the illegal waste deposits in the region where he is
located.
– P3: A Doctor in Dhaka Medical Hospital wants to change the
medicine of a patient in his/her cabin in the hospital.
73
Geospatial Role Based Access
Control (RBAC) Model
Spatially aware Object
• An object on the Earth is represented by a geometric
shape(a point, a line or a polygon).

• Each geometric object is tied to the Earth coordinates.

• A point describes a single location, a line represents

an ordered sequence of points, and a polygon is an
ordered sequence of closed lines.

• Minimum Bounding Box (MBB): set of all geometrics

contained in a reference space.
74
 Geospatial Role Based Access
Control (RBAC) Model
Spatially aware Object
• Objects to be protected consists of data about entities of
the real world that may occupy a position.
• These entities are called features that represent the spatial
and non-spatial attributes.
• Spatial features have name and location, i.e. geometry, while
non-spatial features are not associated with any location.
• Example of feature: Buriganga River, Bhutergoli, Shahin
School etc. associated with a polygon or point geometry.
• The features can have feature types such as River, Park,
School, Road, Town, Lake, Car. 75
Geospatial Role Based Access
Control (RBAC) Model
Spatially aware Object

• Non-spatial attributes are not directly related to geometry

to a particular Object, rather it can be spread over several
Objects.

• Example: fish count, vegetation index, crop production,

pollution index etc.

• These are expressed in thematic layers on the objects.

76
 Geospatial Role Based
Access Control (RBAC) Model
Spatial Role:
• is defined as a pair (r, e)
– where r is a role name and
– e is the spatial extent determined by the boundaries of the
space in which the role can be assumed by the user.
• Example: A role surveyor can be associated to different
extents, resulting in different spatial roles,
– (surveyor, Khulna City) and (surveyor, Rangpur City) are two
spatial roles.

77
 Geospatial Role Based
Access Control (RBAC) Model
Positional Model:
• The actual user position that can change in time is
modeled with either
– a real position, that is actual geometry such as a point
or a polygon, and/or
– a logical position, i.e. spatial feature (such as city,
Hospital, University campus etc.).
• There is a one-to-many mapping function that can map
the real position to logical positions.

78
 Geospatial Role Based
Access Control (RBAC) Model
Positional Model:
• Real positions can be located on the satellite map
using GPS.
• Logical positions can be represented at different
granularities depending on the spatial role played by
the user.
• Information with high resolution image may be allowed
for privacy protection.
Why logical positioning is so important?

79
 Geospatial Role Based
Access Control (RBAC) Model
Geo-RBAC Model:
• The spatially aware role based access control model
consists of :
– role schema and role instance,
– permissions, users, and sessions.

80
 Geospatial Role Based Access Control
(RBAC) Model: Spatial role

• Role Schema: RS = {r, ext, loc, mloc}

– It defines
• r = a common name for a set of spatial roles,
• ext = a feature type of role extent (spatial constraints)
where roles can be enabled,
• loc = a feature of logical position for the users who
may assume the role and
• Mapping function to calculate logical position.

81
 Geospatial Role Based Access Control
(RBAC) Model: Spatial role

• Role Schema: RS = {r, ext, loc, mloc}

– Example: RS = {Doctor, Hospital, Sector, mSector}
– Doctor is the common name for a set of spatial roles,
– Hospital is the feature type of the role extent
– Sector is the feature type of logical position (Hospital area is
divided in sectors: Cabin, OT, Ward, Department etc.)
– mSection is the position mapping function.

82
 Geospatial Role Based Access Control
(RBAC) Model: Spatial role

• Role Schema: RS = {r, ext, loc, mloc}

– The Role Schema for a role name, say “Doctor” is unique.
– For Example:

• {Doctor, Hospital, Sector, mSector} and

• {Doctor, Department, Room, mRoom} are not

allowed.

83
Geospatial Role Based Access Control
(RBAC) Model: Spatial role

– A role instance is a role fulfilling the constraints defined

in the role schema.
– Given a role schema, a role instance, ri = {r, e} is created
when the role extent is assigned with a particular
feature.
– For instance, a role instance could be a Doctor inside
OT of PG Hospital.
– RS : {Doctor, Hospital, Sector, mSector}
– RI : {Doctor, PG Hospital, OT}
– RII : {Doctor, PG Hospital, Cabin}
84
– R : {Doctor, PG Hospital, Chamber}
 Geospatial Role Based Access Control
(RBAC) Model : Permission

• These are operations performed on spatial objects such

as getPatientInfo over a hospital feature, getTrafficInfo
over a road feature.
• It can be associated either with the role schema and
inherited by all role instances of the schema or directly with
role instances.

• Given a set of operations(OPS) and a set of

objects(OBJ), permissions are represented as a
pair{operation, object}.
85
 Geospatial Role Based Access Control
(RBAC) Model : Sessions

• When a user logs in, a new session is activated and a

number of roles are selected to be included in the session
role set.
• For a session role to be enabled, the user must be logically
located within the space of the role extent.
• Suppose a Doctor has logged into the Application. Following
roles may be activated:
– Doctor in the patient management Application
– User of laundry service Application
– Leave Applications. 86
 Geospatial Role Based Access Control
(RBAC) Model: Access Control

• The access control is specified as a set of assignment

relations between permissions to spatial roles, between
users and spatial roles:
– Users-to-Spatial Role Assignment:
• It relates users to roles through a many-to-many
relationship.
• A user can be assigned multiple roles and the same roles
can be assigned to different users.
Users Spatial Roles
Dr. Kamal Doctor, OT
Dr. Jamal Doctor, Cabin
Dr. Kabir Doctor, Outdoor 87
Geospatial Role Based Access Control
(RBAC) Model: Access Control

– Permission to Spatial role assignments: The

mappings can be specified between the permission to spatial
role schema and between spatial role instances to
permissions.
– A Role can be assigned multiple permissions and
each permission can be assigned to multiple Roles.

Permissions Spatial Roles

View info Doctor
Update info Nurse
Delete info Pathologist

88
 Geospatial Role Based Access Control
(RBAC) Model: Access Request Evaluation

• Access request ={s, rp, p, o}

– s = user of session
– rp = User’s real position
– p = User wants to perform operation on object o.

89
 Geospatial Role Based Access Control
(RBAC) Model: Access Request Evaluation

– Access Request ={s, rp, p, o}

– A user logs in and a session ID is generated and a

number of roles will be enabled to be included in the
session role set under session ID based on the user’s
position.
– Logical location of the user is computed using user’s real
position and the location mapping function in the role
schema, RS = {r,ext,loc, mloc}

– If the logical location is within the role extent, the role is

enabled.
90
 Geospatial Role Based Access Control
(RBAC) Model: Access Request Evaluation

– Access Request ={s, rp, p, o}

– For each enabled role, the set of permissions

assigned to the corresponding role schema is
determined.

– If the requested permission (p,o) is matched with

the permission assignment rules for an enabled
role, then the access request is granted.
91
 Geospatial Role Based Access Control
(RBAC) Model: Example-Access Request
Evaluation:

• Access request ={s, rp, p, o}

– rp = Inside the map of PG Hospital (inside OT) identified by GPS.
– (p,o) = Update patient’s records.
 RS : {Doctor, Hospital, Sector, mSector} is activated or
 RI : {Doctor, PG Hospital, OT} is activated.
 RS / RI are assigned to session ID of the user after evaluating the
containment between user’s logical position and role extent.
 For each enabled role, the set of permissions assigned to the
corresponding role schema is determined.
 If there are such permission assignment rules for an enabled role,
then the access request is granted.
92
 Location Based Access Control (LBAC)

• For secure access to data by mobile users, following

points are considered to identify the roles
allowed/denied:
– Physical and dynamic location of the requester
– Credential of the requester

93
 Location Based Access Control (LBAC)

• The context data about location and timing are made

available by third parties (e.g. mobile phone operators)
through service interfaces called Location Services .

• However, the mobile network technology does not

provide an exact location measure, which a Location
Service performs, and has a degree of uncertainty due to
technological limitations and possible environmental
effects.

94
 Difference between RBAC and LBAC
– In RBAC, user’s static location is considered to determine
allow/deny of access whereas in LBAC, users dynamic
location is considered.
– As a result, RBAC is suitable for static environment (Hospital,
Road, River etc.) whereas LBAC is suitable for dynamic
environment (war, earthquake, cyclone etc.).
– RBAC considers logical location on the map vector data for
granting or denying access whereas LBAC considers only
physical location.
– RBAC does not take the external help while taking the access
decision where LBAC takes help of external service provider
(Telco for location based service).
95
 Examples of LBAC Policy
• P1: System administrators are authorized to configure the
mobile network if they are in the server farm room, they
are alone in such an area, and move at walking speed at
most.

• P2: The CEO is authorized to access mobile network

statistics if there is nobody close by and she is not in a
competitor location.

• P3: Guests can read mobile network statistics if there is

nobody close by and they are in a corporate location.
96
 LBAC: Subject, Object & Action

• Subject:
– represented with subject expression, which is a
Boolean conditional predicate to refer to a set of
subjects depending on whether they satisfy certain
conditions.
– The conditions are evaluated with
• the user’s profile,
• location, and
• the user’s membership in groups or active roles.
– Example:–
– subject: equal(job,Professor) ^ greater than(age,35 ) 97
 LBAC: Subject, Object & Action

• Object:
– represented with a Boolean object expression, which refers
to a set of objects that satisfy the conditions in the object
expression where conditions evaluate membership of the
object in categories, and values of properties on metadata.
object: equal(level,critical ) ^ less than(creation,2008/01/01 )
• Action:
– is the action (or class of actions) that is allowed or denied.
– actions: read

98
 LBAC: Architecture

Interactions among the four entities are carried out via

request response message.

99
 LBAC: Architecture

Step 1: User submits an access request to Business

Application

100
 LBAC: Architecture

Step 2: Negotiation to exchange those data relevant to

the policy evaluation.

101
 LBAC: Architecture

Step 3: Request sent to ACE that interacts with LBS

(step 4 – 7)

102
 LBAC: Architecture

Step 8: evaluates policies

Step 9 - 10: returns an access decision.

103
 LBAC: Architecture

Communication between ACE and LSP may be driven by a

SLA negotiation phase (step 5).

This negotiation is used to agree upon and set quality of

services attributes and the corresponding cost.
104
LBAC: Location-based Predicates

• Position-based conditions
• Movement based conditions
• Interaction-based conditions

105
LBAC: Location-based Predicates

106
 LBAC: Location-based Predicates

– Verification of these predicates depends on the

accuracy of the location technology.
– It requires Service Level Agreement (SLA).
– Locational predicates are evaluated to either true or
false with the confidence value and timeout.
– Example:
inarea(Kamal, “Ramna Park”) = {True, 0.9,”14/04/2016 11:30am”}

107
 LBAC: Models of Policy Rules

• Access control rule = {subj_expr, obj_expr, action}

where
– subj-expr refers to the conditional expression for subjects,
whereas conditions can evaluate the user’s profile/properties
or the user’s membership in a group, active roles, and so on.
– obj-expr refers to the conditional expression for objects,
where conditions evaluate membership of the object in
categories value of metadata and so on, and
– action refers to a privilege mode.

108
LBAC: Models of Policy Rules

109
 LBAC Policy Evaluation and Enforcement
• Access request = {user id, SIM, action, object id},
• Example:
Doc ID
– AR = {2345, 90900000, read, 67890}
• Rule: any citizen age greater than 55 years from inside
Bangladesh can read a particular doc.

110
 LBAC Policy Evaluation and Enforcement

• Access request = {user id, SIM, action, object id}

• Access control Policy= {subj expr, obj expr, action}

• First, Access Control Engine evaluates policy P collecting all the

rules A in P that are applicable to the request.

• The set A of applicable rules contains those rules r ∈ P for

which action(r) corresponds to the action specified in the
access request, and object id satisfies the conditions specified
in obj-expr(r) .
111
 LBAC: Architecture

Interactions among the four entities are carried out via

request response message.

112
 LBAC Policy Evaluation and Enforcement

• For evaluation, Access Control Engine submits the query to the

Location Service Provider for response.
• LSP returns the results in the form of Boolean value,
confidence, timeout .
• Given the response, ACE determines whether or not the value
returned by the Location Service can be considered valid for the
purpose of controlling access.
• Such an evaluation depends on parameters timeout and
confidence returned by LSP.

113
 LBAC Policy Evaluation and Enforcement

• For responses with expired timeout, it automatically

triggers the re-evaluation of the predicate regardless of the
other parameter values.

• For unexpired responses, the engine evaluates the

responses with respect to the confidence value.

• The evaluation maintains the extended truth table that

maintains the acceptable confidence level for each
predicate with minimum and maximum thresholds.
114
 LBAC Policy Evaluation and Enforcement
• If the confidence level in response is greater than maximum
threshold in the truth table, the returned value is confirmed.
• If the confidence level is less than the minimum threshold, then
the returned value is evaluated to false.
• If the returned confidence level falls between the maximum
and minimum thresholds, the engine submits the re-evaluation
query to LSP, since it is not clear if the returned results are
reliable enough.
• The truth table for each predicate also maintains the maximum
retry for the evaluation.

115
 LBAC Policy Evaluation and Enforcement
Example: An user sends a request = {user id, SIM, action, object id}

ACE send a request to LSP = inarea{Kamal, GPDC, Dhaka},

LSP response = [True 0.85,2009-01-20,09:00pm]

Suppose that for inarea predicate the lower and upper thresholds are 0.2 and 0.8,
respectively, and
that inarea(Kamal,GPDC) = [True 0.85,2009-01-20,09:00pm]
is the triple returned by the LP to the ACE stating that Alice is located in the Data
Center of GP with confidence of 85%.

Such an assessment is to be considered valid until 9:00pm of January 20th, 2009.

The ACE evaluates inarea(Kamal,GPDC, Dhaka) to True, since 0.85>0.80

116