Rumpole: A Flexible Break-glass Access Control Model

Srdjan Marinovic, Robert Craven, Jiefei Ma, and Naranker Dulay

Proceedings of the 6th ACM Symposium on Access Control Models and Technologies (SACMAT) , 2011

DOI: 10.1145/1998441.1998453

Used by the ALLOW Ensembles project

Access control operates under the assumption that it is possible to correctly encode and predict all subjects’ needs and rights. However, in human-centric pervasive domains, such as health care, it is hard if not impossible to encode all emergencies and exceptions, but also to imagine a priori all the permissible requests. Break-glass is an approach that embodies the idea that under certain conditions it is possible for a subject to break-the-glass and explicitly overrides the denied request. Current break-glass models make this decision without considering and investigating what the reasons for issuing the denial are, and they have a fixed decision procedure to determine whether the override is permitted. Furthermore, they do not explicitly represent and reason over conflicting and missing information about subjects and the context; which in human-centric pervasive domains is a norm rather than an anomaly. This paper presents a novel break-glass model, Rumpole that structures a break-glass policy by establishing why the access was denied. It uses Belnap’s four-valued logic to represent conflicting and missing (unknown) information, allowing the policy to make a more informed decision when faced with missing or inconsistent knowledge. The model also provides a declarative query language that is used to specify an explicit break-glass decision procedure, rather than having an implicitly hard-coded one. This allows a policy writer to further condition and restrict when and how break-glass access is permitted.