Access Control: Principles and Practice Access control constrains what a user can do directly, a well as what programs executing on behalf of the users are allowed to do. In this way access control seeks to prevent activity that could lead to breach of security. Ravi $. Sandhu and Pierangela Samarati ha of he oman and Seta Sem Enger ‘aera of ie he purpose of acess control sto mit theactonsoroperabonsthataleginate uerofucomputersjsemeanpertorm Accesscoitooonstrainsvataucercan Uo directly. aswell 5 what programs ‘executing on behalf of the users are allowed todo. In this way aecess control seeks 10 prevent activity that could lead to a breach of Security. This article explains aeess control and Its relationship t other security serdces such us authentication, suiting, and administration, Tt ‘hen reviews the access matrix mode and describes siferent approaches to implementing the acest Imatrisin practical systems, and follows with 9 di cussion of access control policies commonly found in current system, and brief considera tion of aesess control administration, Access Control and Other Security Services cess contol relies on and coexists with other security services in w computer system (Fig. 1). ‘Acces contro concerned with limiting the at ity of legitimate users. Is enforced by arefer ‘ence monitorwhichmediateseveryatempted access by a user (or program executing on behall of that user) to objects in the system, The reference ‘monitoreonsultsan authorization database inorder fodetermine ifthe user attempting to do an ‘operationsactuallauthorzedtopertormthat ope Balin. Authorications inthis database ate ain ‘stered and maintained by a security administrator The administrator sets these authorizations on the basis of the security policy ofthe arganiza tion. Usees may also be abe to modify same por tion of the authorization database, fr instance, to set permissions for thee persona files. Atk ing monitors and keeps a recoed of relevant ati itvinthe sytem Figure salosicalpitureofsccuty services and ‘hele interactions It should not be inerpeted iter aly Forinstanceaswewillselster. the authorization ‘atabaesohensored withthe cyectsteing protested hye reference monitor ithe than ins physically separatcarea Tepictueisabosomentatidedized in that the separation belneen authentication, acessconroseuitingandadmistation serves tay not aways be ale as hs pte indicates This separation considered highly Jesiabe but isto aha aly wplemented in eery oie ‘tsimporanitomake aca dstincuonerween autheneation and access contr Coreth eta ishing the lento he serine esponsbty Sitheauthenicabonsenice Acoacontal umes thatautbentcation ofthe wer has eensucsesaly ‘etd prior to enforcement of ween conta 2eference monitor. The effecveness ofthe acces contol rests on a proper werent tionandonthecorectnes atte autora go ming the reference monitor Readers re sry fair withthe proces of sigungon oasomputerantemby proviingan iden. tier anda pastrord. na networked environ tment autheniaton becomes more dificult or Several reasons. intadernean observe nt¥Ork tafe they can replay authentication protocols in bordertomasgueradeaslegiiateisert Alo com. puterson the network aced to mutual autem Scte cach other In this article we asume that duheneainfasbeenonrey achieved an oes shat happensater that Fordseussonof then Seaton fs dstiuted tems readers ate referred to[te2) Ts also important to understand that access contol is not complete souton for securing 3 Sswcm:Itmunebecoupledoth aug Aud co trols concera a posterior! snalysis ofall the Fequesis and aetvtie of wsers nthe system ‘Auditing requires the regteation (loging) of al SccAudHteontaharewetulbothandetrrent (ses tay be discouraged from attempting violations they Know al thir requests ar being tacked) as vellavameanstoanayzethesers behavior ns thesptem to find out about possible stempied oractual violations: Moreover, auditing can be ‘hell for determining posible aws inthe sec fitysoxem: Finally suing sesso to ene that authorized users do mot mau the pri tegen other words to hold users uccounable 958049650400 1991 © IEEE IEEE Communictions Mapai *Sepember 1994teen Figure 1. Access comol and other security services. {ortheiractons Note that ffocivaudtingrequires that good auentcation be in place Tn access control systems a distinction is gen cally mae between policies andmechanisms Pole ‘es are high-level guidelines that determine how fccesses ure controlled and access decisions ‘etermined. Mechanisms ire low-level software Sand hardware funetions that canbe configured 10 implement polis Security esearchershavesought to develop acces control mechanisns that are large independent of the policy frwhich hey ould bbe used, This fa desirable goal in order wallow reute of mechanisms that serve a variety of secur Fity purposes. Often, the same mechanisms can heusedinsupportofsccrecy interior availability ‘objectives. On the other hand, sometimes the poly alternatives are so many and diverse that, fystem implementors feel compelled choose one in preference to the lbers. In general, there do not exist policies that are “etter” than others rather thereexs polices that ensure moe protection than others Hostever. not il syems have the sme protection requirements Policies soituble fora given system may not be suitable for nother. For instance, very strict fecesscontol policies. whichare crcaltosomesys- {ems may be nappropriate foreavironmentswhere tnersrouite grater exit The choice access ‘ontrol poliey depends on the particular charae terities othe emironment 0 be proce The Access Matrix Spy mines ane develope a nner of abstractions aver the years in dealing with Secess conte, Perhaps the most Fundamental of these is the realization that all resources controlled bya computer system can be represented by data Moredinobjects (es fils), Therefore protection of jets the crcl quirement whichin ae ai fates protection of other resources controled via the computer system, (Of eourse, these resources ‘most also be physically protected so that they ‘urmot be manipulated dircetiybypassingthe acess ‘ontra ofthe computer stem.) Activity inthe ystems iniitedhy etitesknown, assubjects Subjects are typeally usets OF pro rams executing on behalf of users. A user may Signontothesstem afferent subjctsondierent fecasins, depending on which pevleges the user ttishes to excise ina given sesion. For example 2 user working on two different proests may sign ‘norpurpeseofworkngonone projetor theer Wethenhavewosubjctscorresponcingtothisuser, depending om the project the users currently ‘working on 'Nsubils point that i offen overlooked is that subjects can themselves be objects. A subject can {create additional subjects in order to accomplish its task, The childeen subjects may be executing ‘onvvrious computers in a network, The parent Subject wil usually be able to suspend or tenn hate its children 3s appropriate. The fact that ttjecte can he objects corresponds to the obser: ‘athon thatthe initiator of one operation can be the target of unothier. (lo network parlance sub Jestsaresometimescaedinitiators andobjectsare Sometimes elle targets) "Tne subjctabject distinction is basic acces control Subjects iste ttions or operations 0 ‘objects: These actions are permitted r denied in {ttord withthe authorizations established in the Access control isnota complete solution for securing a system; it must be coupled with auditing. IEEE Communistons Mapuine September 1 a“Fie? fled peoun2 | Fie Fie? ‘account| oe Lad Inuiry John | 8 R perl | o . red Onn Inquiry | ai | mee} on fom | wf on | ‘See | omy w | | an wb} ok | 8 R Inquiry w w Debit Figure 2. tn access mais system. Authorization is expressed in terms of azcesrightsoraceest modes, Themesningt assess ‘Fights depends upon the abject in question, For files the typical access rights are read, = ‘execute, and . The meaning of the first tee bf these sselfevident Ovmershipisconcerned with ‘controlling who can changethe ages permissions or the file. An object such asa bank account may Ihave aceon rights inaui ry, credit, and de comresponning othe basieuperationsthatcanbe pee formed.on an account. These operations woul be implemented by application programs, wheteas fora ile the opecations would ipicaly be pro | vided by the operating system. ‘The access mate isa conceptual model thst | specifies the rights that cach subject possesses for Filet ——} ohn Alice Bob Om t A wv J w | = = Fle2 —§tel sce ui Bb | = Wek i ohe Alice | i A “ | w = | et — PL ae Bob Ov 7 R | w = Wi Figure 3. Access contal lists for files in Fig 2 each object There isa row in this matt foreach Subject and a eoluma foreach abject Each cell fof the matris specifies the uecess authorized for the sujeet i the ow tothe objet inthe column, The tao acesscomteolistoensure thatonly theme ‘operations authorized hy the access matt act lly get executed. This is achieved hy means of 4 feference monitor, which i responsible for medi aingall attempted operations subjectson abject, Note thatthe access matrix model cles sep rates the problem of suthentication Irom that of authorization, ‘An example of an access matrix is shown in 2ewhere the rights and denote read and 2. respectively, and the other right are 38 Uiseussed above, The subjects shown here are John, Alice snd Boh, There are fr ils ad two ‘aecounts This matrix specifies hat for ample ohn ithe owner of Fle Sand can eead and write that ile, ut Ten has no aces Io ile 2 oF File ‘The precise mesning af ownership ¥ ‘one stem tvanthcr. Usually the owacr of file ‘Nauthorized co grant ther asers acess 0 the fil aswell as revoke access, Since John owns File Ihe cam give Alice the & right and Bob the & and i rights. shown in Fig. 2. John ean later revoke ‘one more of these eights at his discretion, The gees igh forthe accounts isa how ascesscan he conitlled in erm of abst ope ations implemented by application programs. The Inquiry operation isinilartareadinthatieetrives normation hut docs nat chunge it Both the Groait and debi operations wil involve re ing the previous account halanee,alostng 3s ppropeatendwrtingit back, The programs ahich implement these operations require read and wrteaccesstote acount dita Uses hewever ate not allowed to read and write the account object Airecily They can manipulate account objects ‘nly inet appcaion programs hich mp sent the debit and ered! * operations, ‘Nba mote tht there iso on ight for accounts ‘Objects suchas bank accounts donot really have owner whocan determine the accesso other sh- sestothe asain, Clearivthewscrih establishes fe account atthe bunk should not he the ane 10 decide who cum aecess the account. Within the thnk diferentoisialscanacoess the accountonthe bass of their job uetions inthe argunization F Implementation Approaches [pase gxemtieseco mative norman inseam ols cells are likely tobe emp. ‘Accainghthe assess matic iver trey imple mented asa matrt, We now discuss some comyon pprouches 1 implementing the access matin it Practial systems, Access Control Lists ‘A popular approach to implementing the access rnatrix iby means of acess control fists (ACLS). ach objet associ with an ACL cating foreach subject inthe sistem the accesses the subject is authorized to execute onthe obje ‘Tals approach correspeinds to storing the matrix by columns: ACLs carresponding ta the files in access matric of Fig? ate show in Fig 3. Essen tilly the access matrix columa for Fle | sone Jnsociation with File Ty andso on IEE Communications Mazin » Splember 14By looking st a ojees ACL iis ey to deter ‘mine which modes of acces subjects are curent Ty authorized for that ject. In other words, [ACLs pronide for convenient aocess review with Fespecttoanobjee tials easy to revoke laces ts toan object hy replacing the existing ACL ‘vith an empty one, On the other hand determin Ingal the accesses thats sojeet has is dificult in AN ACL based system, Is necessary to examine the ACLof ever abject in he ter to Jo access Feview with respect ta subject, Silat fll hecesges of u subject need to be revoked al ACLs must be visited one by one. (In practice revocs Thom ofall acesses of subject soften dome by tleleting the weer account corresponding to that subject This acceptable fa user s leaving an Drgunization. However ita user is reassigned Suthin the onsanization would be more conve: tient fo retain the account al change is pees foreflet he changed assignment ofthe user.) ‘Many system allow group names to occur ip ACLs. For example, an entry such as (2552. 8) Canauthovie ilmenbersofthe SSE proupto read Sill, Several popular operating systems, such as UNIX and VMS, mplementanahbreviated formot ACLs in which small numb, offen only ae oF ‘oo, group names ean oecur inthe ACL. tndvid Saltubject nares are notallowed, Withthisapprouch the ACL his small fixed size so itean be stored Using few hit associated withthe File. AL the ther extreme there are a number of acces cn tal packages that allow complicated cules in [ACLS to lim when and how the access cas be invoke, Thee rules can be applied to individual users oF tall users who mateh a pattern defined intermsof usernames or other user atribues. Capabilities ‘Capabilities ares dual approach to ACLs. Bach Suljec sasscated with list (called the capa ily lis) that indicates, for each object in the system, which accesses the subject fs authorized tesevuteonthoobjct.Thiapprossheorresponds fovstoring the access mateixby rows. Figure 4 ‘Shows capability list forthe les in Fig. 2 I a Capability list approach itis easy to review all fttesses that a subjects authorized to perform, ‘bysimpyexarinngthe soe Scapa How ‘ver, determination ofall subjects who can access ‘particular bjectrequiresexaminationof ach and trerysaljetscapabiy st, Arumberofcapabiiy fhascd computer systems were developed in the Os. tout didnot prove to be commereally se cesful- Madcrnoperatingsjsemstypeals take the [RCL-hased sppeoach itis posible ts combine ACLs and capabilities Possession of «capability x suicient for asub- jecttoubin secesuthoriedy that capability Atdstrdputedsystemthisapproach hasthe advantage that repeatel authentication af the subject not required. This allows a subject tobe authentiat ‘slonce,obtuinitssupabiies andthen presentthese apatites obtain Services rom various Servers inthe stem, Each server may forther use ACL fe prone fier grained access conta Authorization Relations We have seen that ACL and eapability-based pproacheshave duaadvantagesand disudantages sth respect to acess review. There are represe- Figure 4. Capability lists for files in Fig. 2. ‘en fet ohn ® Filet (eer w fet | Toho own File “ohn R Fie ohn w Fie | ‘ice ® Fie ‘Alice Fe? ‘ice fied ‘lice File? ‘le file? ‘Alice Fie | a fet) = Fie! ab Fie? 206 Files ob a fies ‘ep w ies Table 1. Authorization relaion fo ile in Fig 2 tations ofthe access mates that do not favor one aspect of acces eview over the other For exan- ple the aceess matin can he represented by an Suthorzation relation (oF able) as shown in Table Ti Each row oF tuple, of this table specifies one aces gto a sject to an abject. Thus, Jahns sacesses to File 1 require three rows this table iesorted by subject, we get the effect of capability Fists, If i saorted by objet we got the elfect of ACLS. Relational database management systems typically se such a representation, IEEE Communication Magarin * September 1992Access to an object by a subject is granted only if some relationship (depending on the type of access) is satisfied between the security levels associated with the two. Figure 5. Malipl access conol policies. Access Control Policies Wirtz cuss to tere policies that commonly occur in computer tystems a8 follows * Chasse diseretionary policies. + Chasieal mandatory pois. + The emerging role based policies, ‘The qualifier “classical.” added to the frst two policies, elects the fact that they have been rec: pnizedy security reseachersand prattionersfor ‘longtime. inrecentyearsthereisincreas- ing consensus that there are legitimate policies ‘ith aspects ofboth, leading tothe emergence of ‘le-bated policies. Tishoukdbenotedthataccesscontol policies are not necessarily exclusive. Different policies can bbe combined 10 provide a mote sultable protec tion system, as Indicated in Fig, 5, Each of the three inne circles represents a policy that allows ‘subset ofall possible accesses. When the pol ‘es are combined, nly the intersection of the accesses is allowed. Such a combination of poli ies is relatively straightforward as long as there are no conflits where one policy asserts that « Particular access mustbe allowed while another one prohibits it. Such conflicts between policies need to be reconciled by negotiations at an appropriate Tove of management, Classical Discretionary Policies Discretionary protection policies govern he aocess of users tothe information on the basi of the users ‘dentityandauthoriations (or rules) that spect for each user (or group of users) and each object in the system, the acess modes (eg. read, write, oF exe Cute) the users allowed on the object. Each request ‘of a user to acess an object is ehecked agains the Specified authorizations. If there exists an autho- ‘ation stating that the user can acess the object inthespecificmode,thesccesis granted otherwise itis denied. “The flexibility of discretionary policies makes them suitable fora variety of systems and appli- cations. For these reasons, they have been widely used ina variety of implementation, especialy the commercial and industri environments. However, discretionary acess contrat policies uve the drawback that they do noc provide real sur ance on theo of information n system. tis ea5y to bypass che access restrictions stated through the authorizations, For example, a user who is able to ‘read data can passit to other users not authorized to ead it without the cognizance of the owner. The ‘reason is that dscrtionaty polices do not pose ny restriction onthe usage of information by & Useronce the wserhasreceiveditie dissemination of information snot controlled. In contrast, dh Semination of information isconiolled in manda. {oy systems by preventing information stored in Bigh-Tevel objects to flow into lowevel object, Discretionary access control polices based on explicitly specified authorizations are said tobe S'> C > U, Each security eve! isa to dominate self and all others below it in this hierarchy ‘Access to an object by a subject is granted ‘only if some relationship (depending onthe type ‘faces issatsied between the secu levels as- ciated with the two. In particular, the following v0 principles are required 1o hold Read down — A subject's clearance must domi- nate the security level of the objec being read, Write up—Asubjectsclearance mustbe dominated bythe security evel ofthe abject being writen, Satisfaction ofthese principles prevents infor- ‘mation in high-Ievel objects (ue, more sensitive) toflow to objects at ower levels. Theft of these rules illustrated in Fig. 6 tn sucha system information ean only flow upwards or within the sme securiy clas, Tis important to understand the relationship between usersandsubjecsinthiscontex. Letussay thatthe umanuser JaneisclearedtoS, andassome she always signs on 0 the system as an S subject IEEE Communications Magazine © September 198* Figure 6. Controlling information flow for secrecy. (ea subject with clearance §) Jane’ subjects are prevented romreading TSoljeeis the read-down Fue. The weteup rule, however, has wo aspects that scem at first sight contrary to expectation. + First, Jane's § subjects can write a TS object, (eventhough they eunn ead i) In partic, they ean overwrite existing TS data and here> fore estoy Dus tothisintegrityconcern, may ‘ystems for mandatory accesseontrol donot allow ‘writeups ut limit writing to the same level as the subject. At the same time, write up does allow Jane's $ subjects 0 send e-mail to TS Subjects and can have its benefits, + Second: jane'sSsubjecrscannot write Cor U data Thismeansforexampl, hat Janecanneversend e-mail ta Cor U users This is comtary to What happens in the paper world, where users can write memos to C and U users. This seeming ‘contradiction iseasilyeliminatedbyallowing Jane osigntothesystemasaC, or Usubjectasappeo= priate. During thee sesions she can send clee- {ronie mailto orU and subjects respectively Tmosher words, user ean sign on tothe system asasubjec ata leveldominatedby tbe sors cear tance, Why then blber to impose the write-up rus? ‘The main reason isto prevent malicious software from Teaking secrets downward from S10 U. Users aretrusednottoleaksuchinformation.butthepro- trams they exeeute donot merit the same degree ‘f trust, For example, Jane signs onto the system atthe evelinwhichhersubjectseannotread jects andtherebycannolleakdataftom Sto. Thewrite. Up rule alo prevenis users from inadvertently [eaking information from high 0 lo. Tnaditional to hirarehical security level, cat egoris (e3. Crypto. NATO, Nuclear} can ao be ‘sociated with Objects and subjects, in this ease the classification labels associated with each sub= ject and cach object consist fa pair composed of. Tevel and ast of categories. The set of fatepories asoeiated with a user reflect the spe- titi area in which the user operates. The set of ‘sategories associated with an abject reflect the feast which information contained in objects refered, The consideration of eatepoies provides a finer grained security classification. In military parlance eaeporiesenfore restriction on the bast Dr the need-orkn0w priciple, ie a subject should the only given those accesses which are requited 10 cary cut the subject's respons ‘Mandatory access contro fortheprotectionofinformationitepriy. Forexam- le the tte levels could be Crucial (C), Imp tat (1), and Unknown (U), The integrity level ‘ssociated with an abject reflects the degree of trust that ean be placed inthe information stored inthe object, und the potential damage that could reslt from unauthorized modification of the information. The integrity evel associated swith auc reflects the users trustworthiness for Inserting, modifying, or deleting data and pro- trams at that level. Principles similar to those ated for secrecy ate required to hal 3s follows, Reed up — A subjctsintegrity evel must be domi ‘ated bythe itepity evel ofthe abject being rend Wiite down — A sibs’ integrity evel must dom- inte the integrity level of the object being writen Satstation ofthese principlessaeguardinegr ‘y by preventing informatio saved in tow objects (and therefore les reliable) 0 flow to high objets (ig. 7) Contoling information ow inthis manner 'Bbutone aspect of achieving integrity. Integrity in gencralrequresadaitional mechanisms. asdscused nfd3) Noe that the only difference etween Figs. 6 sand Tis the direction af information low, being totton to tp in the former case and top to bottom inelater. nother words, botucasesare concerned sith one-lreetional information flow, The essence of classical mandatory controls one-directional {formation flow in laitice of security labels, For further discussion on this topiesce [6 Role-Based Policies ‘Thodiveretionaryand mandatory policies discussed above have been recognized in official standards, ‘otal the wocaled Orange Book ofthe US. Depart promber 198Fou re. Controling informa ‘ment of Defense. A yood intodetion othe Orange ‘Book and its evaluation procedutes i given in [7 There has been a strong feeling among secur ty researchers and practitioners that many pract al requirements are not covered these asia ‘scretionary and mandatory policies. Mandatory policies rise from rigid environments, lke those ‘fthemilary. Discretionary polices ise from coop: erative yet autonomous requirements, hike those Sf academic researchers. Neither requirement Suisfies the needs of most commercial enerpri ‘Orange Bookdserctionary policy isto weak for effective control of information assets, whereas ‘Grange Book mandatory policy i focused onthe USS. Government policy for confidentiality of clasitiedinformation (Inpracticethemiitaryotten finds Orange Book mandatory polkiestobetoo rigid and subverts them) ‘Severalaltomatiestoclsscaldseretionaryand ‘mandatory poliieshave heen proposed. These pol ies allow the specification of authorizations 10 be granted to wsers (or groups) on objects ike in the discretionary approach, together withthe possi ofspecifying restriction (ke inthe mand: {ory approach) on the assignment or on the use ‘ofsuohsuthorzations. Oneol the promising avenies recening growing atteion i that of rule-based ‘access contol [8,9] Role-based policies regulate users’ access 10 theinformation onthebusiofthuctiites the wers execute inthe sstem. Role-based policies require the ilentieation of roles i the ster, A role can be defined asa set of actions and responsibilities associated with a particular working activity Ten, nsteacotspeciyingallthe access cach user {sallovedtocrecte,accessauthoruationsonobjects are spevifid for roles Users are given authors. tions to adopt role. A recent study by NIST con firms that roles are # useful approach for many ‘commercial and government organiations [10 "The user playing a ole sallowed w execute all access fr which the tole fs authorized In gene ‘user ean take on diferent roles on diferent oeca- Sion Akothesamerole canbe payedbyseveraluser. perhagasimutnecay. Some proposals for ole based Ssces contol allew a user to exer lite roles tthe same time. Otber proposal iit the user 10 ‘only ome role ta time, oF recognize that some ros ‘ane oily exercised while others mst be dp ‘edn ekclsion to one another. As yet there are no ‘Standards in this arena, so itis key that different approaches will be pursed i different systems "Therole-basedapproceh hasseveraladvantages Some of these are dacussed below. Authorization management —Rol-ased poli- ‘ies beneit rom a logical independence inspec. fying user authorizations by breaking this ask ito {vo parts, one which assigns users fo roles and fone bhich assigns access rights for objects to ‘oles. Thisreatiysimpliessecuriy management. Foriastance suppose user responsliieschange say. duetoa promotion. Theuserscurrenroles cit be taken aay and new roles assigned as appre: Dratefor he new esponsbitis. all authorization ‘sclrectly between users and objects, it becomes recessy to revoke all existing aosess nights oF the user and assign new ones. This iva cumber- Some and time-consuming task, ‘Hierarchical rofes— In many applications there ‘Sa natural hierarchy of roles, based on the fail- iar principles of generalization and specialization. ‘AnexampleisshowninFig 8. Heretherolesofhatd- ‘ware and software engineer are specalirations of the engineer role. A user assigned to the role of software engineer (or hardware engineer) will also inherit privileges and permissions assigned 19 themoregeneralrole ofengineer.Theroleofsuper- vising engineer similarly inherits privileges and Permissions frombothsoftware-enginecr and hitd- ‘Ware-engincer oles. Hierarchical roeslurthersin- Ply authorization management ‘Least privilege —Rolesallow ausertosignonwith the least privlege required for the particular task at hand. Users authorized to powerful roles do not aced to exercise them until those privileges fre actually needed Thi minimizes the danger of ‘damage due to inadvertent errors or by intruders ‘masquerading as legitimate users, ‘Separation of duties — Separationofdutiesrefer to the pringple that no wer shouldbe sven enous IEEE Communications Magazine * September 1994privileges to misuse the system on thelr own, For ‘Example, the person authonzing a paycheck should rot also be the one who can prepare them, tiom of duties can be enforced th Sefining conficting roles, Le. roles t bbe exceuted by the same user) or dynamically (by enforcingthccontrolataccesstime) Anexampleot {Synamic separation of duty isthe two-person tle, The first user to execute a two-person oper= dation can be any authorized user, whereas the Second vier can be any authorized user diferent from the firs. Object classes — Role-based policies provides ‘classification of users according tothe activites they execute. Analogously, aclassifiation shouldbe provided for objects. For example, generally & ‘lerk ill ned to have access othe bank accounts, “andasecrtaryviDhave ozesstotheletersand memes {or some sult of them). Objects could be class- fied accord als) orto thei Tetiers advertising letters), Acvessauthorizationsof toes should then he onthe basis of object classes, not specific objects, For example, aseeretaty role ‘tire class of eter, instead of giving it explicit Suthorization foreach single lettes. This approach has the advantage of making authorization admin- istration much easier and better controlled ‘Moreover, the acceses authorized on each object are automatically determined according to the {ype of the object without need of specifying authorizations upon each object eration Administration of Authorization ministrative policies determine who is autho- rized to modify the allowed accesses. Thsisone ‘ofthe most important andleast understood, aspects lof access controls Tn mandatory access control, the allowed accesses are determined entirely on basis of the ‘security clasficationofsubjecsandobjets Security level are asigned to uses bythe security admin ‘trator. Security level of objects ae determined by the system on the basis ofthe levels ofthe ‘users ereting them. The security administrator typically the only one who can change security Ievels of subjects or objects. The administrative policy therefore very simple. Discretionary accesscontrl permitsawide range ‘famine policies Some ofthese are described below Centralized — Asingleauthorie(orgeup) allowed togrant and revoke authorizations 0 the users Hierarchical — A central authorize is responsi ble for assigning administrative responsibilities to other administrators. The administrators can then grant and revoke access authorizations 0 the users ofthe system, Hierarchical administra ‘ion ean be applied for example, according to the ‘organization char. Cooperative — Special authorizations on given esourees cannot be granted by a single authorzet bt needs cooperation of several authorizes IEEE Communications Magazine + September 1934 the objects he(she creates. The owner can grant snd revoke accessrightsfretheruserstothat object. Decentralized — In decentralized administra: tionthe owner ofan objeetcanalsograntotherusers the privilege of administering authorizations on the abject. ‘Withineachothese there are many possible vari ations Roe-basedaccestcontrolbasasimilarwiderange ‘of possible administrative polices. Ia this ease Toles ean also be used to manage and control he ‘administrative mechanisms. Delegation of administrative authority i an important area in which existing access control ‘stems are deficient In large distributed systems Centralized administration of access rights is infeasible, Some existing system allow adminis- trative authority or a specified subset of the ‘objects to be delegated by the central security [administrator to other security administrators. For example, authority to administer objects in a particular region can be granted to the regional Security administrator. This allows delegation of ‘dministative authority in a selective piecemesl manner. However, there iss dimension of selec- tivity that is largely ignored in existing systems. For instance, itmay be desirable thatthe regional security administrator be limited to granting Access fo these objects only to employees who ‘work in that region. Control over the regional ‘Administrators can ho centrally administered, but they can have considerable autonomy within theit regions. This process of delegation can be repeat ced within each region to setup sub-regions and Conclusion cess conttol is required to achieve secrecy, integrity, or availaility objectives. ACLS hhave been a popular approach for implementing the accese matrix model in computer operating systems. Some systems approximate ACLs by Timiting the granblarty of ACL entries to one oF ‘to user groups. Other systems allow consider able sophistication. ACLS have disadvantages for access review and revocation an a per-subject Administra- tive policies determine who is authorized to modify the allowed accesses. This is one of the most important, and least understood, aspects of access controls.Itis important to integrate computer and network (or commu- nications) security more closely to develop a true discipline of information security. basis, but on a per good. More flexible representations such a8 {luthorization tables provide or superior man: agement of aces rights but are usally available only in database management systems. Ina dis {nbuted system # combination of capabilities for coarse-grained control of access to servers, with ACLs or authorization tables fo finer trained controlswithinservers, sanattractive com: bination The classical distinction between mandatory and disretionary acces contrl policies ia useful ‘one. But these two policies do not solve mai practical needs. Role-based access conto! pol {ies offer an attractive alternative o the trict Figidlty of teaditional mandatory controls, while providing some of the flexibility inherent in dis: Eretionaty controls. Effective decentralized ‘ministration of authorization isan area which ld se improvement Finally kimportantto integrate computer and network (or communications) security more clowe- Ipinordertodevelopatruedisiplieofintormation security. Although progress has been made, much femim io be dane Acknowledgements ‘The authors thank the reteres and eos fr their ‘comments which have substantially improved the ‘eadablityof this article. Giancario Martella ofthe University of Milan provided valuable feedback ‘on early drafts of this paper. The work of Ravi Sandhu was partially supportedby National Science Foundation grant CCR.9202270and National Secu rity Ageneycontract MDA9W-52-C-5141.RaviSand hhusgratefulto Dorothy Darnaver, Nathaniel Macon, Howard Stance. and Mike Ware for making this ‘work posite ject basis they are very References References (19. rn tg ar fe hin Cmte Sed tamman Sy pai Fran he 95 0S SEE ee eo ance een IEFE Communiatiom Mapazine » September 1994