International Journal of Computer Science and Information Technologies
Access control policies are generally modeled using permission, prohibition, and obligation rules. However, this does not cover all possible scenarios as several applications have recommendation rules. In this paper, the authors provide a formal framework to express and to enforce recommendations. More precisely, their framework allows to express recommendation rules that become requirements over time. Furthermore, they give the specification of the policy controller behavior in charge of evaluating such a policy. Basically, in their formalization, a recommendation is associated with three conditions.