From Access Control Models to Access Control Metamodels: A Survey

  • Nadine KashmarEmail author
  • Mehdi Adda
  • Mirna Atieh
Conference paper
Part of the Lecture Notes in Networks and Systems book series (LNNS, volume 70)


Access control (AC) is a computer security requirement used to control, in a computing environment, what the user can access, when and how. Policy administration is an essential feature of an AC system. As the number of computers are in hundreds of millions, and due to the different organization requirements, applications and needs, various AC models are presented in literature, such as: Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role Based Access Control (RBAC), etc. These models are used to implement organizational policies that prevent the unauthorized disclosure of sensitive data, protecting the data integrity, and enabling secure access and sharing of information. Each AC model has its own methods for making AC decisions and policy enforcement. However, due to the diversity of AC models and the various concerns and restrictions, its essential to find AC metamodels with higher level of abstraction. Access control metamodels serve as a unifying framework for specifying any AC policy and should ease the migration from an AC model to another. This study reviews existing works on metamodels descriptions and representations. But, are the presented metamodels sufficient to handle the needed target of controlling access especially in the presence of the current information technologies? Do they encompass all features of other AC models? In this paper we are presenting a survey on AC metamodels.


Metamodel Model Access control Policy Security 



We acknowledge the support of the Natural Sciences and Engineering Research Council of Canada (NSERC), [funding reference number 06351].


  1. 1.
    Matt, B.: Introduction to Computer Security. Pearson Education India (2006)Google Scholar
  2. 2.
    De Capitani di Vimercati, S., Paraboschi, S., Samarati, P.: Access control: principles and solutions. Softw. Pract. Exp. 33(5), 397–421 (2003)Google Scholar
  3. 3.
    Hu, V.C., Kuhn, D.R., Ferraiolo, D.F.: Attribute-Based Access Control. Norwood, Artech House (2018)Google Scholar
  4. 4.
    Kayem, A.V., Akl, S.G., Martin, P.: A presentation of access control methods. In: Adaptive Cryptographic Access Control, pp. 11–40. Springer, Berlin (2010)Google Scholar
  5. 5.
    Ennahbaoui, M., Elhajji, S.: Study of access control models. In: Proceedings of the World Congress on Engineering (2013)Google Scholar
  6. 6.
    Ausanka-Crues, R.: Methods for access control: advances and limitations. Harvey Mudd Coll. 301, 20 (2001)Google Scholar
  7. 7.
    Sandhu, R., Ferraiolo, D., Kuhn, R.: The NIST model for role-based access control: towards a unified standard. In: ACM workshop on Role-Based Access Control (2000)Google Scholar
  8. 8.
    Crampton, J.: On permissions, inheritance and role hierarchies. In: Proceedings of the 10th ACM Conference on Computer and Communications Security. ACM (2003)Google Scholar
  9. 9.
    Belokosztolszki, A.: Role-based access control policy administration. University of Cambridge, Computer Laboratory (2004)Google Scholar
  10. 10.
    Zhang, C.N., Yang, C.: Designing a complete model of role-based access control system for distributed networks. J. Inf. Sci. Eng. 18(6), 871–889 (2002)Google Scholar
  11. 11.
    Kuhn, D.R., Coyne, E.J., Weil, T.R.: Adding attributes to role-based access control. Computer 43(6), 79–81 (2010)CrossRefGoogle Scholar
  12. 12.
    OrBAC: Organization Based Access Control. 2010; Available from:
  13. 13.
    Anderson, R.: Security Engineering. Wiley, New York (2008)Google Scholar
  14. 14.
    Rhodes-Ousley, M.: Information Security: The Complete Reference. McGraw Hill Education (2013)Google Scholar
  15. 15.
    Rajpoot, Q.M., Jensen, C.D., Krishnan, R.: Attributes enhanced role-based access control model. In: International Conference on Trust and Privacy in Digital Business. Springer, Berlin (2015)CrossRefGoogle Scholar
  16. 16.
    Onankunju, B.K.: Access control in cloud computing. Int. J. Sci. Res. Publ. 3(9), 1 (2013)Google Scholar
  17. 17.
    Hussain, S.: Access control in cloud computing environment. Int. J. Adv. Netw. Appl. 5(4), 2011 (2014)Google Scholar
  18. 18.
    Atzori, L., Iera, A., Morabito, G.: The internet of things: a survey. Comput. Netw. 54(15), 2787–2805 (2010)CrossRefGoogle Scholar
  19. 19.
    Liu, J., Xiao, Y., Chen, C.P.: Authentication and access control in the internet of things. In: 2012 32nd International Conference on Distributed Computing Systems Workshops (ICDCSW). IEEE, New York (2012)Google Scholar
  20. 20.
    Zhang, Y., Kasahara, S., Shen, Y., Jiang, X., Wan, J.: Smart Contract-Based Access Control for the Internet of Things (2018). arXiv preprint arXiv:1802.04410
  21. 21.
    Rajpoot, Q.M., Jensen, C.D., Krishnan, R.: Integrating attributes into role-based access control. In: IFIP Annual Conference on Data and Applications Security and Privacy. Springer, Berlin (2015)CrossRefGoogle Scholar
  22. 22.
    Assar, S.: Meta-modeling: concepts, tools and applications. In: IEEE 9th International Conference on Research Challenges in Information Science, IEEE RCIS 2015, Athens, Greece; Available from:
  23. 23.
    Sprinkle, J., Rumpe, B., Vangheluwe, H., Karsai, G.: 3 Metamodelling. In: Model-Based Engineering of Embedded Real-Time Systems, pp. 57–76. Springer, Berlin (2010)CrossRefGoogle Scholar
  24. 24.
    Korman, M., Lagerström, R., Ekstedt, M.: Modeling enterprise authorization: a unified metamodel and initial validation. Complex Syst. Inf. Model. Q. 7, 1–24 (2016)Google Scholar
  25. 25.
    Abd-Ali, J., El Guemhioui, K., Logrippo, L.: A metamodel for hybrid access control policies. JSW 10(7), 784–797 (2015)CrossRefGoogle Scholar
  26. 26.
    Bertolissi, C., Fernández, M.: A metamodel of access control for distributed environments: applications and properties. Inf. Comput. 238, 187–207 (2014)MathSciNetCrossRefGoogle Scholar
  27. 27.
    Bruneliere, H., Garcia, J., Desfray, P., Khelladi, D.E., Hebig, R., Bendraou, R., Cabot, J.: On lightweight metamodel extension to support modeling tools agility. In: European Conference on Modelling Foundations and Applications. Springer, Berlin (2015)CrossRefGoogle Scholar
  28. 28.
    Martínez, S., Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Cabot, J.: Towards an access-control metamodel for web content management systems. In: International Conference on Web Engineering. Springer, Berlin (2013)CrossRefGoogle Scholar
  29. 29.
    Emig, C., Brandt, F., Abeck, S., Biermann, J., Klarl, H.: An access control metamodel for web service-oriented architecture (2007)Google Scholar
  30. 30.
    Martínez, S., Cabot, J., Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N.: A model-driven approach for the extraction of network access-control policies. In: Proceedings of the Workshop on Model-Driven Security. ACM (2012)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Université du Québec à RimouskiRimouskiCanada
  2. 2.Lebanese UniversityHadatLebanon

Personalised recommendations