Abstract
Access control is the process of controlling every request to a system and determining, based on specified rules (authorizations), whether the request should be granted or denied. The definition of an access control system is typically based on three concepts: access control policies, access control models, and access control mechanisms. In this chapter, we focus on the traditional access control models and policies. In particular, we review two of the most important policies: the discretionary and mandatory access control policies. We therefore start the chapter with an overview of the basic concepts on which access control systems are based. We then illustrate different traditional discretionary and mandatory access control policies and models that have been proposed in the literature, also investigating their low-level implementation in terms of security mechanisms.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
P. Samarati, S. De Capitani di Vimercati (2001). Access control: Policies, models, and mechanisms. In: R. Focardi, R. Gorrieri (eds.), Foundations of Security Analysis and Design. Springer-Verlag, New York.
R. Focardi, R. Gorrieri (1997). The compositional security checker: A tool for the verification of information flow security properties. IEEE Transaction Software Engineering, 23(9):550–571.
G.S. Graham, P.J. Denning (1972). Protection-principles and practice. In AFIPS Proc. of the Spring Jt. Computer Conference, Montvale, NJ, USA.
H.H. Harrison, W.L. Ruzzo, J.D. Ullman (1976). Protection in operating systems. Communications of the SCM, 19(8):461–471.
B.W. Lampson (1974). Protection. ACM Operating Systems Review, 8(1):18–24.
S. Jajodia, P. Samarati, M.L. Sapin, V.S. Subrahmanian (2001). Flexible support for multiple access control policies. ACM Transaction on Database Systems, 26(2):214–260.
T.F. Lunt (1988). Access control policies: Some unanswered questions. In Proc. of IEEE Computer Security Foundations Workshop II, Franconia, New Hampshire.
R.S. Sandhu (1993). Lattice-based access control models. IEEE Computer, 26(11):9–19.
D. Bell and L. LaPadula (1973). Secure computer systems: A mathematical model. Technical Report MTR-2547, Vol. 2, MITRE Corp., Bedford, MA.
D. Bell and L. LaPadula (1973). Secure computer systems: Mathematical foundations. Technical Report MTR-2547, Vol. 1, MITRE Corp., Bedford, MA.
D. Bell and L. LaPadula (1974). Secure computer systems: A refinement of the mathematical model. Technical Report MTR-2547, Vol. 3, MITRE Corp., Bedford, MA.
Bell D and LaPadula L (1975). Secure computer systems: Unified exposition and multics interpretation. Technical Report MTR-2997, Vol. 4, MITRE Corp., Bedford, MA.
K.J. Biba (1977). Integrity considerations for secure computer systems. Technical Report MTR-3153, rev., MITRE Corp., Vol. 1, Bedford, MA.
J.C. Wray (1991). An analysis of covert timing channels. In Proc. of the IEEE Symposium on Security and Privacy, Oakland, CA, USA.
J. McLean (1994). Security models. In: Marciniak J (ed.), Encyclopedia of Software Engineering. John Wiley & Sons.
J.A. Goguen, J. Meseguer (1984). Unwinding and inference control. In IEEE Symposium on Security and Privacy, Los Angeles, CA, USA.
S. Jajodia, R. Sandhu (1991). Toward a multilevel secure relational data model. In Proc. of the ACM SIGMOD Conference on Management of Data, Denver, CO, USA.
T.F. Lunt (1991). Polyinstantiation: An inevitable part of a multilevel world. In Proc. of the IEEE Workshop on Computer Security Foundations, Franconia, New Hampshire.
T.F. Lunt, D.E. Denning, R.P. Schell, M. Heckman, W.R. Shockley (1990). The seaview security model. IEEE Transaction on Software Engineering, 16(6):593–607.
R.S. Sandhu, S. Jajodia (1992). Polyinstantiation for cover stories. In Proc. 2nd European Symposium on Research in Computer Security — ESORICS’ 92, Toulouse, France.
P.P. Griffiths, B.W. Wade (1976). An authorization mechanism for a relational database system. ACM Transactions on Database Systems, 1(3):242–255.
Database language SQL-part 2: Foundation (SQL/foundation) (1999). ISO International Standard, ISO/IEC 9075:1999.
E. Bertino, P. Samarati, S. Jajodia (1997). An extended authorization model for relational databases. IEEE-TKDE, 9(1):85–101.
P. Bonatti, S. De Capitani di Vimercati, P. Samarati (2002). An algebra for composing access control policies. ACM Transactions on Information and System Security, 5(1):1–35.
L. Wang, D. Wijesekera, S. Jajodia (2004). A logic-based framework for attribute based access control. In Proc. of the 2004 ACM Workshop on Formal Methods in Security Engineering, Washington DC, USA.
E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, P. Samarati (2002). A fine-grained access control system for XML documents. ACM Transactions on Information and System Security, 5(2):169–202.
S. Godik, T. Moses (2003). eXtensible Access Control Markup Language (XACML) version 1.1. http://www.oasis-open.org/committees/xacml/repository/cs-xacml-specification-1.1.pdf.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
De Capitani di Vimercati, S., Foresti, S., Samarati, P. (2007). Authorization and Access Control. In: Petković, M., Jonker, W. (eds) Security, Privacy, and Trust in Modern Data Management. Data-Centric Systems and Applications. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-69861-6_4
Download citation
DOI: https://doi.org/10.1007/978-3-540-69861-6_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69860-9
Online ISBN: 978-3-540-69861-6
eBook Packages: Computer ScienceComputer Science (R0)