Access control

In information systems, subjects (users or processes) access objects (data or processes). The various types of access include see (learn about the existence of an object), read, change, extend, delete, control (change the access rights for an object). Access control tries to distinguish between allowed and forbidden access, based on the assumption that forbidden access can be prevented effectively; this assumption can be justified by physical inaccessibility of the system, a trusted computing base (TCB, security kernel of the operating system), proper user identification via strong authentication, and cryptographic means.

Access control is specified by way of an access matrix [a1], [a4], whose rows correspond to subjects, whose columns correspond to objects, and whose cells contain the corresponding set of rights. The access matrix describes a set of relations between the (not necessarily disjoint) sets of subjects and objects; these relations have to be consistent, in particular transitively closed as far as the sets of subjects and objects have a non-void intersection. The ultimate goal of such a formal specification is the verifiability of a concrete implementation; several approaches are presented in [a1].

Equivalent ways of specification of access control are:

access control lists (ACL) associated with each object, corresponding to the columns of the access matrix;

capabilities (C-lists) associated with each subject, corresponding to the rows of the access matrix. In order to simplify the access matrix, subjects as well as objects may be collected into groups based on the equivalence relation of having identical capabilities or access control lists.

The main types of access control are:

1) discretionary access control (DAC) [a2]: Each object has an owner (a subject that has the access right "control" );

2) mandatory access control (MAC) [a2]: The access right "control" does not exist; access rights are predefined according to a global policy;

3) role-based access control (RBAC, discretionary or mandatory) [a3]: A subject may belong to several groups depending on its momentary role; it does not get the union of all the corresponding rights but only the rights of his actual group.

An access matrix describes a state of an information system. For a model of a system with dynamically changing access rights one introduces time dependency, state transition operators, and information flow control, see [a1].

References