Data Structures for Constraint Enforcement in Role-Based Systems

Constraints are an important aspect of role-based models. Several types of constraints, such as separation of duty constraints, cardinality constraints and temporal constraints have been identified in the literature. Although the specification of constraints has received significant research interest, there has been little work on the development of an efficient constraint enforcement model. In particular there does not exist a model for the data structures that are referenced and maintained by the constraint enforcement mechanism. In this paper, we define a formal model for such data structures that record salient information to be used by the constraint enforcement mechanism. We introduce the concept of a constraint evaluation structure that is used by the constraint enforcement mechanism to determine whether granting a request would violate a constraint. Two particular constraint evaluation structures form part of the runtime model we introduce in order to enforce dynamic constraints.