Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

23.2 Access Control Concepts and Models > 23.2.1 Access Control Matrix - Pg. 575

CHAPTER 23 Policies, Access Control, and Formal Methods 575 requiring access to a passive object to perform some specific access operation [3]. A reference monitor permits or denies access. The reference monitor consults permissions, and/or informa- tion about the subject and the object or their relationship in order to make the access control decision. Subjects typically include users, but also application programs and processes running on behalf of some users. Typical information used about subjects and objects in access control is their system identifiers. Advanced access control models however extend this basic information with a large variety of information about the sub- jects and objects, thus resulting in the so-called attribute-based access control models, and with contextual information, such as time and loca- tion. We refer to an access control system as a system comprising of a reference monitor, and all information required for taking access con- trol decisions, such as the access control policies. We then survey the discretionary access control model developed for System R, an early DBMS prototype based on the SQL language. We then cover the well-known RBAC model and several of its extensions, including privacy-aware RBAC (P-RBAC) an RBAC model tailored to the pro- tection of privacy. We conclude the section with a discussion on recent attribute-based access con- trol models. The presentation in this section is based on the presentations in [4] and [5]; we refer the readers to these references for additional details and discussions. 23.2.1. Access Control Matrix The protection matrix has been the first theoreti- cal access control model [6]. It is an abstract rep- resentation of permissions specifying the access requests that are authorized. A protection matrix is a two-dimensional array, with each row labeled