Many access control requirements cannot be automated using traditional mandatory access control (MAC) and discretionary access control (DAC) security mechanisms. Example includes user-attribute (---) based access control and owner-retained access control for handling specially marked data. While several researchers have identified the need for access controls that provide more flexibility than MAC and DAC, the proposed mechanisms for implementing these controls have several shortcomings. In this paper, we describe an access control mechanism that combines attribute certificates permit fine-grained authorisations based on user attributes, such as group membership, rank, and role. Mobile policies allow application-specific policies to move along with the object to other elements of the system. Mobile policies are expressed using an extension to a high-level definition language that we previously proposed in Reference.
[1]
LouAnna Notargiacomo,et al.
Beyond the pale of MAC and DAC-defining new forms of access control
,
1990,
Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.
[2]
Elisa Bertino,et al.
A unified framework for enforcing multiple access control policies
,
1997,
SIGMOD '97.
[3]
Sushil Jajodia,et al.
Using attribute certificates with mobile policies in electronic commerce applications
,
2000,
Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).
[4]
Sushil Jajodia,et al.
Distributed Policies for Data Management - Making Policies Mobile
,
2000,
DBSec.
[5]
Sushil Jajodia,et al.
A logical language for expressing authorizations
,
1997,
Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).