22 Copyright © 2012 Open Geospatial Consortium This short introduction of the central idea behind tagging-based rights models reveals that a right in such a model is defined in three steps: assign subject-tag , assign resource-tag and authorized strategy cp. Figure 4. Depending on the requirements of the use case these three right definition steps can be performed by different groups of administrators on different organizational levels. Subject assi g n S T Cl earance- a g Subject-Id N 1 C l earance- a g -Id M Resource assi g n R T C l assification- a g Resource-Id N 1 Cl assification- a g -Id N Action Action-Id aut h orized Strate y L Figure 4: Conceptual design of a tagging-based rights model

6.1.4 Rule-based Rights Models

In a rule 1 -based rights model authorizations are defined through Condition, Effects tupels that are called access control rules. The condition part defines the applicability of a rule. If a rule’s condition expression evaluates to ‘true’ in a given context, its effects are incorporated when calculating the authorization decision. The access control process in an access control system using a rule-base rights model can be summarized as follows: Based on interaction attempt the access control system generates an authorization decision request ADR that defines the current evaluation context of the access control system. While evaluating the ADR the access control system has to determine, which of the access control rules are applicable in the given evaluation context. After identifying the applicable rules, the effects of these rules are combined and an authorization decision response is calculated. This rough overview of the access control process in rule-based access control systems shows that every rule-based rights model also requires a corresponding evaluation context model. The more information is included in the evaluation context model, the more powerful access rules can be defined. Evaluation context models can be designed very application specific or very generic. Figure 5 shows a very generic evaluation context model. 1 Some literature uses the synonym term attribute-based rights model. We do not use this point-missing term as attribute is a synonym for information and it is meaningless to highlight that rights as they always do refer to some information entities. OGC 11-086r1r1 Copyright © 2012 Open Geospatial Consortium 23 Ev a uation onte x t as- ategory ateory defined-by Attribute Attribute-Id D ata y p e AttributeVa ue 1 N 1 N 1 X ML- D oc 1 defined-by Figure 5: Conceptual design of a generic evaluation context model Next to the design of a conceptual and logical evaluation context model a suitable rule- based rights model needs to be developed. Figure 6 shows an example of a conceptual rule-based rights model. The visualized model supports the definition of access control rules that must have an effect of permit or deny called the sign of a rule. Additionally each rule can optionally have functional effects. These functional effects can e.g. cause the rewrite of an intercepted message cp. 8.3.2 or imply the augmentation of the evaluation context by external data needed to calculate an authorization decision cp. 8.3.3. A condition expression of an access control rule is composed of literal-, pointer- and function-expressions. Pointers are used to refer to information items in the authorization decision requests. Rule-Container entities are “buckets“ that can hold any number of rule and rule-Container entities. Every rule-Container also has an assigned condition expression that defines the applicability of the container. Rule-Container entities can e.g. be used to structure the policy in order to enhance the performance of the access control process and for various other reasons. 24 Copyright © 2012 Open Geospatial Consortium as ontainer-Id o m bining-A gorit m is-a ondition- ression ffect F unction- a Ru e Ru e-Id Issuer as art-of Ru e ontainer art-of Litera - ression P ointer- ression F unction- ression as 1 1 1 N M N N 1 1 1 Sign as Argu m ents 1 N as as as 1 1 1 N N N Figure 6: Conceptual design of access control rules and rule-Containers After the development of a suitable conceptual evaluation context model and a corresponding conceptual rule model, one has to map this model to a suitable logical representation. A very expressive and popular logical evaluation context and rule model is e.g. defined in the eXtensible Access Control Markup Language XACML OASIS specification [6].

6.1.5 Role-based Rights Models