Rumpole: An Introspective Break-Glass Access Control Language

Access control policies define what resources can be accessed by which subjects and under which conditions. It is, however, often not possible to anticipate all subjects that should be permitted access and the conditions under which they should be permitted. For example, predicting and correctly encoding all emergency and exceptional situations is impractical. Traditional access control models simply deny all requests that are not permitted, and in doing so may cause unpredictable and unacceptable consequences. To overcome this issue, break-glass access control models permit a subject to override an access control denial if he accepts a set of obligatory actions and certain override conditions are met. Existing break-glass models are limited in how the override decision is specified. They either grant overrides for a predefined set of exceptional situations, or they grant unlimited overrides to selected subjects, and as such, they suffer from the difficulty of correctly encoding and predicting all override situations and permissions. To address this, we develop Rumpole, a novel break-glass language that explicitly represents and infers knowledge gaps and knowledge conflicts about the subject's attributes and the contextual conditions, such as emergencies. For example, a Rumpole policy can distinguish whether or not it is known that an emergency holds. This leads to a more informed decision for an override request, whereas current break-glass languages simply assume that there is no emergency if the evidence for it is missing. To formally define Rumpole, we construct a novel many-valued logic programming language called Beagle. It has a simple syntax similar to that of Datalog, and its semantics is an extension of Fitting's bilattice-based semantics for logic programs. Beagle is a knowledge non-monotonic langauge, and as such, is strictly more expressive than current many-valued logic programming languages.