Context-Based Access Control

Context-based access control addresses the need to limit access levels based on domain-specific constraints, such as the audience present, the networks utilized, the location occupied, etc.

Given two users, two resources, and access levels:

  o          .                   
 /|\ ------> ├── file1          o
 / \ ------> ├── file2 <------ /|\
             └── file3 <------ / \

User1        Resources        User2

• User1 has access to file1 and file2
• User2 has access to file2 and file3

If User1 and User2 are having a conversation, they are limited to discussing file2, since the intersection of their accesses excludes file1 and file3.

This also works for grantees that aren't users:

  o          .                 .~~~~~~.
 /|\ ------> ├── file1         ;      ;
 / \ ------> ├── file2 <------ ;      ;
             └── file3 <------ '~~~~~~'

User1        Resources        Office LAN

• User1 has access to file1 and file2
• Office LAN has access to file2 and file3

If User1 needs to access file2, it must be done from Office LAN, since only the intersection of their accesses includes file2.