Abstract
Many access control requirements cannot be automated using traditional mandatory access control (MAC) and discretionary access control (DAC) security mechanisms. Examples include user-attribute-based access control and owner-retained access control for handling specially marked data. While several researchers have identified the need for access controls that provide more flexibility than MAC and DAC, the proposed mechanisms for implementing these controls have several shortcomings. In this paper, we describe an access control mechanism that combines attribute certificates with mobile policy to overcome these shortcomings. Attribute certificates permit fine-grained authorisations based on user attributes, such as group membership, rank, and role. Mobile policies allow application-specific policies to move along with the object to other elements of the system. Mobile policies are expressed using an extension to a high-level definition language that we previously proposed in Reference [5].
Chapter PDF
Similar content being viewed by others
References
M. D. Abrams, “Renewed understanding of access control policies” Proc. National Computer Security Conf., 1993.
M. D. Abrams, K. E. Eggers, L. J. La Padula, and I. M. Olson, “A generalized framework for access control” Proc. National Computer Security Conf., October 1990.
M. D. Abrams, J. Heaney, O. King, L. J. La Padula, M. Lazear, and I. M. Olson, “Generalized framework for access control: Towards prototyping the ORCON policy” Proc. National Computer Security Conf., October 1991.
S. Chapin, S, Jajodia, and D. Faatz, “Distributed Policies for Data Management Making Policies Mobile” Proc. 14 th IFIP 11.3 Working Conference on Database Security, Schoorl, Netherlands, August 2000.
V. Doshi, A. Fayad, S, Jajodia, and R. Maclean, “Using Attribute Certificates and Mobile Policies in Electronic Commerce Applications” Proc. 16th Annual Computer Security Applications Conference, New Orleans, LA, December 2000.
S. Farrell and R. Housley, “An Internet Attribute Certificate Profile for Authorization” PKIX Working Group, Internet-Draft, March 2000.
T. D. Graubart, “on the need for a third form of access control” Proc. National Computer Security Conf., October 1989.
R. Housley, W. Ford, T. Polk, and D. Solo, “Internet Public Key Infrastructure-X.509 Certificate and CRL profile” RFC 2459, January 1999.
S. Jajodia, M. Kudo, and V. S. Subrahmanian, “Provisional authorizations” Proc. 1st Workshop on Security and Privacy in E-Commerce, Athens, Greece, November 2000.
S. Jajodia, P. Samarati, V. S. Subrahmanian, and E. Bertino, “A Unified Framework for Enforcing Multiple Access Control Policies” Proc. ACM SIGMOD Int’l. Conference on Management of Data, May 1997, pages 474–485.
S. Jajodia, P. Samarati, and V. S. Subrahmanian, “A logical language for expressing authorizations” Proc. IEEE Symp. on Research in Security and Privacy, Oakland, Calif., May 1997, pages 31–42.
C. J. McCollum, J. R. Messing, and L. Notargiacomo, “Beyond the Pale of MAC and DAC-Defining new forms of access control” Proc. IEEE Symp. on Security and Privacy, 1990, pages 190–200.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 IFIP International Federation for Information Processing
About this paper
Cite this paper
Fayad, A., Jajodia, S., Faatz, D., Doshi, V. (2001). Going Beyond MAC and DAC Using Mobile Policies. In: Dupuy, M., Paradinas, P. (eds) Trusted Information. SEC 2001. IFIP International Federation for Information Processing, vol 65. Springer, Boston, MA. https://doi.org/10.1007/0-306-46998-7_17
Download citation
DOI: https://doi.org/10.1007/0-306-46998-7_17
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-7923-7389-6
Online ISBN: 978-0-306-46998-5
eBook Packages: Springer Book Archive