19.3.1 Location-based Access Control Architecture

In a LBAC scenario, there are more parties involved than in conventional access control systems. A LBAC system evaluating a policy does not have direct access to location information; rather, it sends location requests to external services, called location services (LSs), and waits for the corresponding answers [6]. The characteristics of these location services will depend on the communication environment where the user transaction takes place. Here, we focus on the mobile network, where location service is provided by mobile phone operators. Typically, a LBAC scenario involves the following three entities (see Figure 19.1).

User. It is the entity whose access request to a service must be authorized by a LBAC system. We make no assumption about users, besides the fact that they carry terminals enabling authentication and some form of location verification.


Figure 19.1 Basic location-based access control architecture.

Access control engine (ACE). It is the entity that implements the LBAC system. It is responsible for evaluating access requests according to some policies containing location-based conditions. The ACE must communicate with a location service for acquiring location information, and it is not restricted to a particular access control model and authorization language.

Location service

Get Mobile Intelligence now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.