Discretionary access control (DAC) is a class of access control models that con- trols access to an object based on the identity of a subject [25]. The identity could be the subject’s user name or the subject’s group membership. The word
“discretionary” means that a subject that owns a certain access right over an
object can pass the access right to other subjects on his/her discretion. In other words, DAC allows an owner of a particular access right to a specific object to pass on the access right to other subject(s) based on the owner’s personal prefer- ences. This capability makes the DAC model flexible in supporting commercial solutions where no strict information flow is required. For example, manipulating a shared folder on a server can benefit from this capability in DAC. The owner (e.g. Bob) of an access right (i.e. read ) over the shared folder can easily pass on this access right to another subject (e.g. Eve) by creating a user-name/password pair associated with Eve. In fact, no real control on the flow of information is provided in DAC. Since Bob can pass his read right on to any body at his dis- cretion, the system manager, for instance, is unable to control this. Thus, the manager can not ensure the flow of information in the underlying system. This property in DAC (i.e. lack of information flow control), actually, increases the possibility of unauthorised access [23]. Therefore, DAC is not suitable for military applications that require a rigorous control of information flow.
ACM is, perhaps, one of the first discretionary access control models for com- puter systems. It defines the access rights of each subject over a set of resource objects managed by the system [23]. In this model, a matrix is constructed in which there is a column for every resource object and a row for each subject. Therefore, a cell in this matrix specifies the access rights of a certain subject over a particular object. For example, Table 2.1 shows a typical ACM for a system
CHAPTER 2. TRADITIONAL ACCESS CONTROL MODELS 31
that manages a printer, a photocopier, and a seminar room. The subjects of this system are Alice, Bob, and Eve. The table shows, for example, that the access rights of Bob over the photocopier are ’copy’ and ’scan’, whereas Eve can only use it as a ’fax’. There are various implementations of the ACM. The well-known ones are ACL, capabilities, and authorisation relations.
Table 2.1: Access Control Matrix Sample Subject Printer Photocopier Seminar Room
copy order equipment
scan access
Alice print
fax change PIN
copy
Bob order parts
scan access
Eve print fax access
2.3.1
Access Control Lists
ACL [26] is, perhaps, the most popular implementation of the ACM. ACL can be represented as storing the ACM in a columnar way. In other words, each resource object will have an associated list that defines, for each subject, the set of legitimate actions the subject can perform on it. A sample ACL is shown in Figure 2.1 that describes which subject can perform what action(s) on the photocopier. The ACL implementation is object-centric, since it specifies an object’s legitimate access modes. Thus, it is straightforward to update an object’s access modes by modifying the associated ACL [23]. It is also easy to revoke an object’s access modes by replacing the existing ACL with an empty one. However, determining the access rights of a subject is not easy. It requires every ACL in the system to be checked against the subject.
CHAPTER 2. TRADITIONAL ACCESS CONTROL MODELS 32 Photo Copier Alice Copy Scan Fax Bob Eve Copy Scan Fax
Figure 2.1: The Access Control List for a photocopier Machine
2.3.2
Capabilities
Capabilities are another implementation of the ACM. Unlike the ACL approach, capabilities store the ACM in rows. In other words, each subject in the system will have an associated capability over a set of managed resource objects. Capabilities are subject-centric as depicted in Figure 2.2. This actually solves the problem of determining the set of allowed actions by a specific subject by just examining the subject’s associated capabilities. However, revoking an object’s access modes requires all the capabilities in the system to be examined.
Alice Printer print Copier Seminar Room copy scan fax order equipment access change PIN
Figure 2.2: Alice’s Capability
2.3.3
Authorisation relations
An authorisation relation is another implementation of the ACM that is inspired from the relational databases. As shown in Table 2.2, a relational table is created where each row represents an access operation a subject can perform over a specific object. This implementation does not actually favour one preview over another, as ACL and capabilities do. It is easy to get a specific subject’s access rights by sorting the table by subject, which actually corresponds to the capability method. Similarly, sorting this authorisation table by object produces the same effect as the ACL method.
CHAPTER 2. TRADITIONAL ACCESS CONTROL MODELS 33
Table 2.2: Authorisation Relations Subject Access Right Object
Alice print Printer
Alice copy Copier
Alice scan Copier
Alice fax Copier
Alice order equipment Seminar Room Alice access Seminar Room Alice change PIN Seminar Room
Bob order parts Printer
Bob copy Copier
Bob scan Copier
Bob access Seminar Room
Eve print Printer
Bob fax Copier
Bob access Seminar Room
2.3.4
DAC Summary remarks
It is worth noting that managing the ACM in a large-scale distributed environ- ment is troublesome. ACM is a static access control solution. In this model, subjects and objects need to be pre-defined. In addition, the access control deci- sions are immutable. Additional constraints can not be imposed easily. Therefore, DAC is not suitable for the UbiComp environments that require access control to be adaptive to some dynamic constraints (i.e. contextual information). More- over, DAC can not cope with information leakage caused by the weak control of information flow. MAC was, in fact, proposed to overcome this weakness in DAC.