OGC 11-086r1r1 Copyright © 2012 Open Geospatial Consortium 29

6.2.8 Support of positive and negative rights

The definition of an access control policy can be simplified if the used rights model supports the definition of positive i.e. access permitting and negative access denying rights. By combining positive and negative rights it is easy to implement exceptional rules. One could e.g. define a positive right that allows subjects over 21 to use a certain service and additionally one could specify a negative right that denies Alice who is over 21 to use this service. Without the support of rights with different signs and the introduction of intended runtime conflicts, existing rights might need to be changed in order to implement exceptional rules. While this is a valid and recommended approach it might not always be the first choice, as it can imply complex administrative tasks. Further this approach requires that the existing rights can be freely updated. This is often not the case as certain parts of the policy can be included by reference or have been defined by administrators of other administrative domains and are therefore marked read only.

6.3 Evaluation of rights models in the OWS use case

In the following subsections we analyze which of the rights models introduced in section 6.1 allow the definition of all types of rights required in the OWS use case cp. 6.2.

6.3.1 Suiteability of SAR-based models

SAR-based models support the definition of rights that refer to individual resources of different classes. However they do not support the definition of rights that refer to subjects, actions and resources with specific properties. Rights are tuples that refer to the ids of subjects, actions and resources and there is no mean to define conditions on the attributes of these entities. Another disadvantage is the fact that SAR-based models do not support the definition of rights that refer to environment states and to arguments of service requests with certain properties.

6.3.2 Suiteability of view-based models

Opposed to SAR-based models, View-based models support the definition of rights that refer to fine-grained resources with certain properties. However they still suffer from the other conceptual weaknesses of SAR-based models. It is not possible to express rights that refer to subjects, actions, environment states and request arguments with certain properties. Another disadvantage is that the realization of the view concept is often only possible within a data base management system as it would otherwise imply very high view maintenance costs. This conflicts with the principle that security should be achieved through security services that are loosely coupled with the application cp. 7.1. 30 Copyright © 2012 Open Geospatial Consortium

6.3.3 Suiteability of tagging-based models

In order to use a tagging-based model it must be possible to tag the resources with security markup. This assumption is problematic in the “access control for OGC Web Services” use case. If the service that needs to be protected belongs to another security domain, one cannot add security tags to the resources served by this service. Further resources that are inserted or generated in real time e.g. by an OGC Sensor Observation Service do not have assigned security tags yet. Further tagging-based models do not support the definition of rights that refer to request arguments and environment states with certain properties. Another disadvantage is the fact, that all resources have to be tagged individually which does not scale very well and causes an unacceptable administrative overhead when e.g. protecting WFS instances serving millions of features. Note that an automated tagging mechanism based on rules i.e. the translation of right conditions to resource-ids is in general not an applicable solution as the automatically generated tags would have to be recalculated after every update of the resource, subject or environment state attributes.

6.3.4 Suiteability of rule-based models