Access Control: Policies, Models, and Mechanisms

  • Pierangela Samarati
  • Sabrina Capitani de Vimercati
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2171)


Access control is the process of mediating every request to resources and data maintained by a system and determining whether the request should be granted or denied. The access control decision is enforced by a mechanism implementing regulations established by a security policy. Different access control policies can be applied, corresponding to different criteria for defining what should, and what should not, be allowed, and, in some sense, to different definitions of what ensuring security means. In this chapter we investigate the basic concepts behind access control design and enforcement, and point out different security requirements that may need to be taken into consideration. We discuss several access control policies, and models formalizing them, that have been proposed in the literature or that are currently under investigation.


Access Control Trojan Horse Access Control Policy Access Control Model Covert Channel 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Abadi, M. Burrows, B. Lampson, and G. Plotkin. A calculus for access control in distributed systems. ACM Transactions on Programming Languages and Systems, 15:706–734, 1993. 173, 174CrossRefGoogle Scholar
  2. 2.
    R. Ahad, J. David, S. Gower, P. Lyngbaek, A. Marynowski, and E. Onuebge. Supporting access control in an object-oriented database language. In Proc. of the Int. Conference on Extending Database Technology (EDBT), Vienna, Austria, 1992. 171Google Scholar
  3. 3.
    G. Ahn and R. Sandhu. The RSL99 language for role-based separation of duty constraints. In Proc. of the fourth ACM Workshop on Role-based Access Control, pages 43–54, Fairfax, VA, USA, October 1999. 181Google Scholar
  4. 4.
    A. Aho, J. Hoperoft, and J. Ullman. The Design and Analysis of Computer Algorithms. Addison-Wesley, 1974. 143Google Scholar
  5. 5.
    J. P. Anderson. Computer security technology planning study. Technical Report ESD-TR-73-51, Electronic System Division/AFSC, Bedford, MA, October 1972.138Google Scholar
  6. 6.
    Apache http server version 2.0. 171
  7. 7.
    V. Atluri, S. Jajodia, and B. George. Multilevel Secure Transaction Processing. Kluwer Academic Publishers, 1999. 161Google Scholar
  8. 8.
    P. Atzeni, S. Ceri, S. Paraboschi, and R. Torlone. Database Systems. McGraw-Hill, 1999. 177Google Scholar
  9. 9.
    Robert W. Baldwin. Naming and grouping privileges to simplify security management in large database. In Proceedings IEEE Computer Society Symposium on Research in Security and Privacy, pages 61–70, Oakland, CA, April 1990. 180,181Google Scholar
  10. 10.
    D. E. Bell. Secure computer systems: A refinement of the mathematical model. Technical Report ESD-TR-278, vol. 3, The Mitre Corp., Bedford, MA, 1973. 152,153Google Scholar
  11. 11.
    D. E. Bell and L. J. LaPadula. Secure computer system: Unified exposition and multics interpretation. Technical Report ESD-TR-278, vol. 4, The Mitre Corp., Bedford, MA, 1973. 152Google Scholar
  12. 12.
    D. E. Bell and L. J. LaPadula. Secure computer systems: Mathematical foundations. Technical Report ESD-TR-278, vol. 1, The Mitre Corp., Bedford, MA, 1973.50, 152Google Scholar
  13. 13.
    E. Bertino, C. Bettini, E. Ferrari, and P. Samarati. An access control model supporting periodicity constraints and temporal reasoning. ACM Transactions on Database Systems, 23(3):231–285, September 1998. 172, 173Google Scholar
  14. 14.
    E. Bertino, S. de Capitani di Vimercati, E. Ferrari, and P. Samarati. Exceptionbased information flow control in object-oriented systems. ACM Transactions on Information and System Security (TISSEC), 1(1):26–65, 1998. 165, 166CrossRefGoogle Scholar
  15. 15.
    E. Bertino, P. Samarati, and S. Jajodia. An extended authorization model for relational databases. IEEE-TKDE, 9(1):85–101, January-February 1997. 177Google Scholar
  16. 16.
    K. J. Biba. Integrity considerations for secure computer systems. Technical Report TR-3153, The Mitre Corporation, Bedford, MA, April 1977. 153Google Scholar
  17. 17.
    M. Blaze, J. Feigenbaum, J. Ioannidis, and A. D. Keromytis. The role of trust management in distributed systems security. In Secure Internet Programming: Issues in Distributed and Mobile Object Systems. Springer Verlag-LNCS Stateof-the-Art series, 1998. 189Google Scholar
  18. 18.
    M. Blaze, J. Feigenbaum, and J. Lacy. Decentralized trust management. In Proc. of 1996 IEEE Symposium on Security and Privacy, pages 164–173, Oakland, CA, May 1996. 189Google Scholar
  19. 19.
    W. E. Boebert and C. T. Ferguson. A partial solution to the discretionary Trojan horse problem. In Proc. of the 8th Nat. Computer Security Conf., pages 141–144, Gaithersburg, MD, 1985. 164Google Scholar
  20. 20.
    P. Bonatti, S. de Capitani di Vimercati, and P. Samarati. A modular approach to composing access control policies. In Proc. of the Seventh ACM Conference on Computer and Communications Security, Athens, Greece, 2000. 187Google Scholar
  21. 21.
    P. Bonatti and P. Samarati. Regulating service access and information release on the web. In Proc. of the Seventh ACM Conference on Computer and Communications Security, Athens, Greece, 2000. 189, 190, 191Google Scholar
  22. 22.
    D. F. C. Brewer and M. J. Nash. The Chinese Wall security policy. In Proc. IEEE Symposium on Security and Privacy, pages 215–228, Oakland, CA, 1989. 162, 163Google Scholar
  23. 23.
    S. Castano, M. G. Fugini, G. Martella, and P. Samarati. Database Security. Addison-Wesley, 1995. 178Google Scholar
  24. 24.
    Y.-H. Chu, J. Feigenbaum, B. LaMacchia, P. Resnick, and M. Strauss. REFEREE: Trust management for Web applications. Computer Networks and ISDN Systems, 29(8-13):953–964, 1997. 189CrossRefGoogle Scholar
  25. 25.
    D. D. Clark and D. R. Wilson. A comparison of commercial and military computer security policies. In Proceedings IEEE Computer Society Symposium on Security and Privacy, pages 184–194, Oakland, CA, May 1987. 178Google Scholar
  26. 26.
    E. Damiani, S. de Capitani di Vimercati, S. Paraboschi, and P. Samarati. Design and implementation of an access control processor for XML documents. Computer Networks, 33(1-6):59–75, June 2000. 191CrossRefGoogle Scholar
  27. 27.
    E. Damiani, S. de Capitani di Vimercati, S. Paraboschi, and P. Samarati. Fine grained access control for SOAP e-services. In Tenth International World Wide Web Conference, Hong Kong, China, May 2001. 191Google Scholar
  28. 29.
    C. J. Date. An Introduction to Database Systems. Addison-Wesley, 6th edition, 1995. 166Google Scholar
  29. 30.
    S. Dawson, S. de Capitani di Vimercati, P. Lincoln, and P. Samarati. Minimal data upgrading to prevent inference and association attacks. In Proc. of the 18th ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems (PODS), Philadelphia, CA, 1999. 156, 159Google Scholar
  30. 31.
    D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5):236–243, May 1976. 149, 161, 164zbMATHCrossRefMathSciNetGoogle Scholar
  31. 32.
    D. E. Denning. Cryptography and Data Security. Addison-Wesley, Reading, MA, 1982.zbMATHGoogle Scholar
  32. 33.
    D. E. Denning. Commutative filters for reducing inference threats in multilevel database systems. In Proc. of the 1985 IEEE Symposium on Security and Privacy, pages 134–146, April 1985. 160Google Scholar
  33. 34.
    S. de Capitani di Vimercati, P. Samarati, and S. Jajodia. Hardware and software data security. In Encyclopedia of Life Support Systems. EOLSS publishers, 2001. To appear.Google Scholar
  34. 35.
    E. B. Fernandez, E. Gudes, and H. Song. A model for evaluation and administration of security in object-oriented databases. IEEE Transaction on Knowledge and Data Engineering, 6(2):275–292, 1994. 169, 171CrossRefGoogle Scholar
  35. 36.
    D. Ferraiolo and R. Kuhn. Role-based access controls. In Proc. of the 15th NISTNCSC Naional Computer Security Conference, pages 554–563, Baltimore, MD, October 1992. 181Google Scholar
  36. 37.
    R. Focardi and R. Gorrieri. The compositional security checker: A tool for the verification of information flow security properties. IEEE Transactions on Software Engineering, 23(9), September 1997. 161Google Scholar
  37. 38.
    T. D. Garvey and T. F. Lunt. Cover stories for database security. In C. E. Landwehr and S. Jajodia, editors, Database Security, V: Status and Prospects, North-Holland, 1992. Elsevier Science Publishers. 159Google Scholar
  38. 39.
    B. Gladman, C. Ellison, and N. Bohm. Digital signatures, certificates and electronic commerce. 189
  39. 40.
    J.A Goguen and J. Meseguer. Unwinding and inference control. In Proc. of the 1984 Symposium on Research in Security and Privacy, pages 75–86, 1984. 162Google Scholar
  40. 41.
    G. S. Graham and P. J. Denning. Protection-principles and practice. In AFIPS Press, editor, Proc. Spring Jt. Computer Conference, volume 40, pages 417–429, Montvale, N. J., 1972. 140Google Scholar
  41. 42.
    P. P. Griffiths and B. W. Wade. An authorization mechanism for a relational database system. ACM Transactions on Database Systems, 1(3):242–255, 1976 175CrossRefGoogle Scholar
  42. 43.
    J. T. Haigh, R. C. O’Brien, and D. J. Thomsen. The LDV secure relational DBMS model. In S. Jajodia and C. E. Landwehr, editors, Database Security, IV: Status and Prospects, pages 265–279, North-Holland, 1991. Elsevier Science Publishers. 157Google Scholar
  43. 44.
    M. H. Harrison, W. L. Ruzzo, and J. D. Ullman. Protection in operating systems. Communications of the ACM, 19(8):461–471, 1976. 140zbMATHCrossRefMathSciNetGoogle Scholar
  44. 45.
    T. Jaeger and A. Prakash. Requirements of role-based access control for collaborative systems. In Proc. of the first ACM Workshop on Role-Based Access Control, Gaithersburg, MD, USA, November 1995. 181Google Scholar
  45. 46.
    S. Jajodia and B. Kogan. Integrating an object-oriented data model with multilevel security. In Proc. of the IEEE Symposium on Security and Privacy, pages 76–85, Oakland, CA, 1990. 166Google Scholar
  46. 47.
    S. Jajodia and C. Meadows. Inference problems in multilevel secure database management systems. In M. D. Abrams, S. Jajodia, and H. J. Podell, editors, Information Security: An Integrated Collection of Essays, pages 570–584. IEEE Computer Society Press, 1995. 159Google Scholar
  47. 48.
    S. Jajodia, P. Samarati, M. L. Sapino, and V. S. Subrahmanian. Flexible supporting for multiple access control policies. ACM Transactions on Database Systems, 2000. To appear. 168, 169, 181, 185, 186, 187, 188Google Scholar
  48. 49.
    S. Jajodia and R. Sandhu. Polyinstantiation for cover stories. In Proc. of the Second European Symposium on Research in Computer Security, pages 307–328, Toulouse, France, November 1992. 155, 159Google Scholar
  49. 50.
    S. Jajodia and Ravi S. Sandhu. Toward a multilevel secure relational data model. In Proc. CM SIGMOD International Conference on Management of Data, pages50–59, Denver, CO, May 1991. 155, 158Google Scholar
  50. 51.
    P. A. Karger. Limiting the damage potential of discretionary Trojan Horses. In Proc. IEEE Symposium on Security and Privacy, pages 32–37, Oakland, CA, 1987.164Google Scholar
  51. 52.
    R. Kemmerer. Share resource matrix methodology: an approach to identifying storage and timing channels. ACM Transactions on Computer Systems, 1(3):256–277, April 1983. 161CrossRefGoogle Scholar
  52. 53.
    B. W. Lampson. Protection. In 5th Princeton Symposium on Information Science and Systems, pages 437–443, 1971. Reprinted in ACM Operating Systems Review8(1):18-24, 1974. 140Google Scholar
  53. 54.
    C. E. Landwehr. Formal models for computer security. ACM Computing Surveys, 13(3):247–278, 1981. 138CrossRefGoogle Scholar
  54. 55.
    L. J. LaPadula and D. E. Bell. Secure computer systems: A mathematical model. Technical Report ESD-TR-278, vol. 2, The Mitre Corp., Bedford, MA, 1973. 152,153, 164Google Scholar
  55. 56.
    G. Lawrence. The role of roles. Computers and Security, 12(1), 1993. 181Google Scholar
  56. 57.
    N. Li, B. N. Grosof, and J. Feigenbaum. A practically implementable and tractable delegation logic. In Proc. of the IEEE Symposium on Security and Privacy, pages 27–42, Oakland, CA, 2000. 189Google Scholar
  57. 58.
    Teresa Lunt. Access control policies: Some unanswered questions. In IEEE Computer Security Foundations Workshop II, pages 227–245, Franconia, NH, June 1988.168Google Scholar
  58. 59.
    T. F. Lunt. Aggregation and inference: Facts and fallacies. In Proc. IEEE Symposium on Security and Privacy, pages 102–109, Oakland, CA, 1989. 159Google Scholar
  59. 60.
    T. F. Lunt. Polyinstantiation: an inevitable part of a multilevel world. In Proc. Of the IEEE Workshop on computer Security Foundations, pages 236–238, Franconia, New Hampshire, June 1991. 155Google Scholar
  60. 61.
    T. F. Lunt, D. E. Denning, R. R. Schell, M. Heckman, and W. R. Shockley. The SeaView security model. IEEE Transactions on Software Engineering, 16(6):593–607, June 1990. 155, 158CrossRefGoogle Scholar
  61. 62.
    C. J. McCollum, J. R. Messing, and L. Notargiacomo. Beyond the pale of MAC and DAC-Defining new forms of access control. In Proc. of the IEEE Symposium on Security and Privacy, pages 190–200, Oakland, CA, 1990. 164Google Scholar
  62. 63.
    J. McLean. The specification and modeling of computer security. Computer,23(1):9–16, January 1990. 153CrossRefGoogle Scholar
  63. 64.
    J. McLean. Security models. In Encyclopedia of Software Engineering. Wiley Press, 1994. 161Google Scholar
  64. 65.
    Communication of the ACM. Special issue on internet privacy. CACM, February 1999. 190Google Scholar
  65. 66.
    Oracle Corporation, Redwood City, CA. Trusted Oracle7 Server Administration Guide, Version 7.0, January 1993. 159Google Scholar
  66. 67.
    S. Osborn, R. Sandhu, and Q. Munawer. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Transactions on Information and System Security, 3(2):85–106, 2000. 181CrossRefGoogle Scholar
  67. 68.
    W. R. Polk and L. E. Bassham. Security issues in the database language SQL. Technical Report NIST special publication 800-8, Institute of Standards and Technology, 1993. 160Google Scholar
  68. 69.
    X. Qian and T. F. Lunt. A MAC policy framework for multilevel relational databases. IEEE Transactions on Knowledge and Data Engineering, 8(1):1–14, February 1996. 159CrossRefGoogle Scholar
  69. 70.
    F. Rabitti, E. Bertino, W. Kim, and D. Woelk. A model of authorization for next-generation database systems. ACM TODS, 16(1):89–131, March 1991. 167,169CrossRefGoogle Scholar
  70. 71.
    J. Richardson, P. Schwarz, and L. Cabrera. CACL: Efficient fine-grained protection for objects. In Proceedings of OOPSLA, 1992. 171Google Scholar
  71. 72.
    M. Roscheisen and T. Winograd. A communication agreement framework for access/ action control. In Proc. of 1996 IEEE Symposium on Security and Privacy, pages 154–163, Oakland, CA, May 1996. 189Google Scholar
  72. 73.
    P. Samarati and S. Jajodia. Data security. In J. G. Webster, editor, Wiley Encyclopedia of Electrical and Electronics Engineering. John Wiley & Sons, 1999.Google Scholar
  73. 74.
    R. Sandhu. On five definitions of data integrity. In Proc. of the IFIP WG 11.3 Workshop on Database Security, Lake Guntersville, Alabama, September 1993. 177Google Scholar
  74. 75.
    R. Sandhu and F. Chen. The multilevel relational (MLR) data model. ACM Transactions on Information and System Security (TISSEC), 2000. 159Google Scholar
  75. 76.
    R. Sandhu, D. Ferraiolo, and R. Kuhn. The NIST model for role-based access control: Towards a unified standard. In Proc. of the fifth ACM Workshop on Rolebased Access Control, pages 47–63, Berlin Germany, July 2000. 181Google Scholar
  76. 77.
    R. Sandhu and Q. Munawer. The ARBAC99 model for administration of roles. In Proc. of the 15th Annual Computer Security Applications Conference, Phoenix, Arizona, December 1999. 182Google Scholar
  77. 78.
    R. Sandhu and P. Samarati. Authentication, access control and intrusion detection. In A. Tucker, editor, CRC Handbook of Computer Science and Engineering, pages 1929–1948. CRC Press Inc., 1997.Google Scholar
  78. 79.
    Ravi S. Sandhu. Transaction control expressions for separation of duties. In Fourth Annual Computer Security Application Conference, pages 282–286, Orlando, FL, December 1988. 183Google Scholar
  79. 80.
    Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman. Role-based access control models. IEEE Computer, 29(2):38–47, February 1996. 181Google Scholar
  80. 81.
    R. S. Sandhu. The typed access matrix model. In Proc. of 1992 IEEE Symposium on Security and Privacy, pages 122–136, Oakland, CA, May 1992. 143Google Scholar
  81. 82.
    K. E. Seamons, W. Winsborough, and M. Winslett. Internet credential acceptance policies. In Proceedings of the Workshop on Logic Programming for Internet Applications, Leuven, Belgium, July 1997. 190Google Scholar
  82. 83.
  83. 84.
    H. Shen and P. Dewan. Access control for collaborative environments. In Proc. Int. Conf. on Computer Supported Cooperative Work, pages 51–58, November 1992. 167, 169Google Scholar
  84. 85.
    A. Stoughton. Access flow: A protection model which integrates access control and information flow. In Proc. of the IEEE Symposium on Security and Privacy, pages 9–18, Oakland, CA, 1981. 164Google Scholar
  85. 86.
    R. C. Summers. Secure Computing: Threats and Safeguard. McGraw-Hill, 1997.Google Scholar
  86. 87.
    K. G. Walter, W. F. Ogden, W. C. Rounds, F. T. Bradshaw, S. R. Ames, and D. G. Sumaway. Primitive models for computer security. Technical Report TR ESD-TR-4-117, Case Western Reserve University, 1974. 165Google Scholar
  87. 88.
    W. Winsborough, K. E. Seamons, and V. Jones. Automated trust negotiation. In Proc. of the DARPA Information Survivability Conf. & Exposition, Hilton Head Island, SC, USA, January 25-27 2000. IEEE-CS. 190Google Scholar
  88. 89.
    M. Winslett, N. Ching, V. Jones, and I. Slepchin. Assuring security and privacy for digital library transactions on the web: Client and server security policies. In Proceedings of ADL’ 97 — Forum on Research and Tech. Advances in Digital Libraries, Washington, DC, May 1997. 189, 190Google Scholar
  89. 90.
    M. Winslett, K. Smith, and X. Qian. Formal query languages for secure relational databases. ACM Transactions on Database Systems, 19(4):626–662, December 1994. 159CrossRefGoogle Scholar
  90. 91.
    T. Y. C. Woo and S. S. Lam. Authorizations in distributed systems: A new approach. Journal of Computer Security, 2(2,3):107–136, 1993. 184Google Scholar
  91. 92.
    J. Wray. An analysis of covert timing channels. In Proc. IEEE Symposium on Security and Privacy, Oakland, CA, 1991. 161Google Scholar
  92. 93.
    T. Yu, X. Ma, and M. Winslett. An efficient complete strategy for automated trust negotiation over the internet. In Proceedings of 7th ACM Computer and Communication Security, Athens, Greece, November 2000. 190Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Pierangela Samarati
    • 1
  • Sabrina Capitani de Vimercati
    • 2
  1. 1.Dipartimento di Tecnologie dell’InformazioneUniversità di MilanoCrema (CR)Italy
  2. 2.Dip. di Elettronica per l’AutomazioneUniversità di BresciaBresciaItaly

Personalised recommendations