Framework for Enforcing Multiple Access Control Policies

Although several access control policies can be devised for controlling access to information, all existing authorization models, and the corresponding enforcement mechanisms, are based on a speciic policy (usually the closed policy). As a consequence, although diierent policy choices are possible in theory, in practice only a speciic policy can be actually applied within a given system. However, protection requirements within a system can vary dramatically, and no single policy may simultaneously satisfy them all. In this paper we present a exible authorization manager (FAM) that can enforce multiple access control policies within a single, uniied system. FAM is based on a language through which users can specify authorizations and access control policies to be applied in controlling execution of spe-ciic actions on given objects. We formally deene the language and properties required to hold on the security specii-cations and prove that this language can express all security speciications. Furthermore, we show that all programs expressed in this language (called FAM/CAM-programs) are also guaranteed to be consistent (i.e., no connicting access decisions occur) and CAM-programs are complete (i.e., every access is either authorized or denied). We then illustrate how several well-known protection policies proposed in the literature can be expressed in the FAM/CAM language and how users can customize the access control by specifying their own policies. The result is an access control mechanism which is exible, since diierent access control policies can all coexist in the same data system, and extensible, since it can be augmented with any new policy a speciic application or user may require. 1 Introduction Several access control policies have been proposed in the literature for controlling access to information. Correspondingly , several authorization models have been formalized and access control mechanisms enforcing them implemented. Each model, and its corresponding enforcing mechanism, implements a single speciied policy, which is in fact built into the mechanism. As a consequence, although diierent policy choices are possible in theory, each access control system is in practice bound to a speciic policy. The major drawback of this approach is that a single policy simply cannot capture all protection requirements that may arise over time. For instance, each of us deals with data protection in different ways. We may have information that we want to keep completely private, information we want to share with everybody, information we want to share with almost everybody (with a few exceptions), and information we …