MACOW Ξ Mandatory Access Control on Open Worlds


The architecture provided on MACOW can be depicted on the following figure.

As is shown in the figure, PEP entities are in charge of provide knowledge and current state of the different controlled elements on the information system. PEP elements send knowledge over a publication/subscription platform by means of the Event Manager communication broker.

PIP entity acts as a knowledge repository collecting current states of all controlled elements on the information system. Thus, PIP contains knowledge provided from all PEPs updated.

Morever, PEP entities are also in charge of enforcing PDP access control decisions. Then, when a user is trying to access to a controlled elements, PEP sent a request to PDP entity. Then, PDP retrieves current system state form PIP and applies semantic rules which determine MACOW behaviour. As a result, PDP provides whether the access attempt has been authored or not. Then, PEP block or authorized the access to managed element according to this PDP statement.

Notice that PDP enables to retrieve knowledge from different administrative domains when collaborative scenarios are stablished such as coalition and federation scenarios. This knowledge will be alligned on the local domain by means of the alligment features provided on OWL and will be used to share knowledge among different administrative domains.