Gupta et al. claim that role-based access control (RBAC) for the mobile and ubiquitous computing environment needs further constraints, such as a relative distance (proximity) of two roles, in allowing access to resources. For instance, a manager can access a special bank account only if there is a supervisor within 20 meters. This kind of proximity constraint (that is, relative distance between entities) is generalized to include geographical proximity, temporal proximity, social proximity, cyber proximity, and attribute proximity.

The formalization of a proximity model considers the proximity tuple that includes a role, feature types to measure the proximity, and proximity constraints. For instance, only a member of a dating social site who is in the same profession as me and is no more than ten years older than me can view my profile page. This is specified with 〈Member, {profession, age}, C₁ ∧ C₂〉. The constraint C₁ specifies the distance metric (that is, ten years older than me), and the constraint C₂ specifies the same profession as me.

The paper also shows the enforcement architectures for the proposed formal proximity-based RBAC model. The challenges include feature gathering and efficiently activating the right roles for the user. The proximity features (location, temporal, social, cyber, and attribute) depend on the frequency and accuracy of these relative proximity feature data. The model not only has to authenticate the system user in the relevant features (for example, location, cyber session), but also keep track of the relevant features of another role (for example, senior role) and its contextual history. The model’s safety analysis focuses on the replay attacks and illegal access by external adversaries. I wonder if the attack scenarios are complete or not. There may be inherent and more challenging attacks related to the proximity access control model.