Different Access Control Models

Let me try to describe the different access control models based on my di- lemma to read a book called The God of Small Things, by Arundhati Roy. I knew that my friend Bob owned it; however I was not sure whether he will allow me to borrow the book, as the access to the book was at his discre- tion. Similarly, I also knew that my aunt had borrowed the book from the local library. However, neither my aunt nor I knew the library policies re- garding lending a borrowed book to someone else. Moreover, I knew that the local library had another copy. However, they had a graded book ac- cess policy, based on the donation one gives to the library. I was unsure about my role there too. This simple dilemma does bring out the different levels of access that the access provider has on the resource it controls. There are three main types of access control, namely Mandatory Access Control (MAC) [72,73], Discretionary Access Control (DAC) [74], and Role Based Access Control (RBAC) [75].

Mandatory Access Control (MAC)

One of the access control models is Mandatory Access Control (MAC) which is also known as the Lattice Based Access Control (LBAC). In such an access control mechanism, the access to certain objects or resources is expressed in terms of security labels attached to subjects and objects. A la- bel on an object is called a security classification, and a label on a user is called a security clearance. A system following the MAC access control mechanism is similar to the library example where my aunt borrowed a book from the library. The book is the object or the resource, and my aunt and I are the subjects. The library may enforce a policy that library card holders (like my aunt) have higher clearance than nonholders (like me). Moreover, the books may have different classifications. For example, a manuscript may have higher classification than a fiction book. Based on the subject clearance and object classification, the library can enforce stringent policies. Similar policies are generally enforced in a MAC sys- tem. Things become a little more complicated than above as there can be write policies, read policies, and so on. Generally a lattice of security la- bels is formed which determine the unidirectional information flow. There- fore, these types of access control mechanisms are also called Lattice Based Access Control (LBAC) [76, 77]. Depending on the nature of the lattice, the one-directional information flow enforced by MAC can be ap- plied for confidentiality, integrity, or a combination of them. There is also variation of MAC schemes where the unidirectional information flow is partly relaxed to achieve selective downgrading of information or for

environments where security clearances and classification becomes very important for accessing objects or resources.

Discretionary Access Control (DAC)

In Discretionary Access Control (DAC) mechanisms [73], the owner or the creator of the object has the discretionary authority over who else can ac- cess the object. In the book dilemma that I had, Bob held the discretionary right to allow or disallow me from borrowing his book. In real life, such access controls exist everywhere, from files in operating systems to invit- ing people to marriage parties. Since the earliest formulation of DAC sev- eral variations of the DAC policies had been developed, which are particu- larly concerned about how the owner’s discretionary power can be delegated to other users, and how access can be revoked. Based on the research, several types of DAC mechanisms are possible:

• Strict DAC, where the owner is the only one who has discre- tionary authority to grant access to an object or resource and the ownership cannot be transferred. For example, in a strict DAC scenario, Bob is the only person to grant me the access to his book and in no way can he delegate the responsibility to any- one.

• In a Liberal DAC scenario, the owner can delegate responsibil- ity for granting access to an object to other users. There can be different levels of delegation. For example, there can only be one level of delegation where Bob delegates the responsibility for granting access to his book to Alice. However, Alice does not have the authority to further delegate. However, there can be multi-level delegation. As mentioned in Chap. 4, delegation as- sumes significant importance in a grid scenario.

• DAC with a change of ownership allows a user to transfer ownership of an object to another user. This is similar to Bob selling his book to me. After that it is my responsibility to grant rights and delegate authority to other users.

Role Based Access Control (RBAC)

Role Based Access Control (RBAC) [75] after its definition and initiation received enormous attention from the security community. In RBAC, per- missions are associated with roles (see Fig. 5.2), and users are made mem- bers of appropriate roles thereby acquiring the roles’ permissions. This integrity applications [72]. MAC schemes are generally used in high security

5.1 Introduction 71 greatly simplifies the management of permissions. Roles can be created for the various job functions in an organization and users are then assigned roles based on their responsibilities and qualifications. Users can be easily reassigned from one role to another. Roles can be granted based on new permissions as new applications and systems are incorporated, and permis- sions can be revoked from roles when needed. In the book dilemma that I had, the library may have different roles based on the level of donation own pays, and there may be different permissions assigned to each role.

Fig. 5.2. Role based access control

An important characteristic of RBAC is that by itself it is policy neu- tral. RBAC is a mechanism of articulating policies rather than embodying a particular security policy (such as unidirectional information flow in a lattice). RBAC is a scalable and flexible mechanism for articulating access control policies. It is scalable, as the number of associations compared to a typical user to permissions mapping is less, and it is flexible as Sandhu et al. system. They have shown that by tuning the different components RBAC can be converted to different forms of DAC and MAC access mechanisms. [78] has shown that DAC and MAC are different manifestations of the RBAC

Fig. 5.3. General certificate based push model