Journal "Software Engineering"
a journal on theoretical and applied science and technology
ISSN 2220-3397
Issue N9 2015 year
A new access control model is proposed for multi-user computer systems. Traditional approaches to the implementation of access control mechanisms, namely the discretionary access control, multi-level security, and role-based models, face the challenge of dealing with dynamic properties of modern systems, including constantly changing set of users, modification of attributes of entities in the system, and rearrangement of relations between them. Under these conditions, typical for systems similar to multi-user content management systems [3] and social networks [5, 6], traditional approaches may lead to an increase in administrative actions for managing the access control mechanism and the access control rules. Declarative approaches, e.g. attribute-based access control [1, 2, 7], provide the means to reduce the verbosity of administrative actions by using more expressive logic to specify access control rules.
The proposed model uses so called chains of relations between entities in the target system, including its users and resources, to specify the access control rules. A chain combines a sequence of binary relations by binding entities in adjacent relations. The relation-based approach maps naturally onto the commonly used relational databases. The proposed model maintains efficient computation of access control decisions while still achieving sufficient expressiveness by supporting combination of relation chains, transitive relations, and attribute-based conditions.
A formal description of the model is given in the paper. A property of model leading to efficient computation of access control decisions is defined, and a constructive approach to verifying this property is provided along with the proof of the underlying theorem. Experimental evaluation of the proposed model is discussed in application to a model of a computer system "Nauka-MGU" ("ISTINA") [4] designed for user-assisted collection and management of research- and education-related data and metrics in Lomonosov Moscow State University.