Access Control Schemes

Discussions on access control usually concentrate on one of two basic schemes: access control lists and capabilities. A third scheme used in military system access control is often governed by a label based scheme where every object has a label and an identity. Each of these can be considered as a single technique on a spectrum. The spectrum is concerned with where the authorization information is kept: with the accessing object, with the accessed object, or split between both of them. Each of the schemes recognizes that the access control rules need to be kept somewhere and that the set of possible rules for every possible object interaction is very large. We look at this spectrum next udner the headings of access control lists, military security classifications, and capabilities. In the access control list scheme nearly all of the information is kept with the accessed object. The information takes the form of a list of all the objects that are allowed to access a particular object. The only information that is needed from the accessing object is its identity, which is used to look up the access control list and make a decision. Where the set of object identities allowed to access another object is quite small, or can be kept is an abbreviated form, then this scheme has the advantage that the access control information is kept with the objects that are to be protected. Lists can be kept small by having groups of objects with the same access rights share a single role identity, then the role identity of an accessing object is used to check for entries in the list. A negative access control list contains a list if identities that are <#744#> not<#744#> allowed to access an object, a sort of black list. Negative lists are useful when all the members of a group or role except a few individuals are to be allowed access to an object. They are also used when an individual is to be taken out of a role or group but not all the group lists have been changed, or that individual may still be using the system when his rights are to be revoked and he has already obtained the role privileges. In a capability scheme the information is kept with the accessing object. A capability is a right to use some object, just like a pre-paid ticket on a train. Every object would have a set of capabilities for all of the objects it might require to use. The only information required of the accessed object is its identity so that it can be compared with the capability that is being used in the attempt to obtain access. Just as there are techniques for limiting the size of an access control list there are techniques for reducing the number of capabilities that an accessing object must keep. Because all of the access control information is with the accessing object it can be seen that this is the opposite, or complementary scheme to access control lists. A problem with capabilities is making sure that an object has all the capabilities it needs and that objects do not acquire capabilities they are not entitled to (that is capabilities have to be protected against copying). A scheme that is used with military system is based on the use of labels and classification. Information in the system is given a classification, say <#745#> secret<#745#>, or <#746#> classified<#746#>, and users of the system are rated to some level, <#747#> secret<#747#>, or <#748#> classified.<#748#> There is a strict relationship between the classifications such that (for example) all <#749#> classified<#749#> information is available to a user with a rating of <#750#> secret<#750#>, as well as all <#751#> secret<#751#> information. In addition to these classifications information is placed into categories, or compartments; such as <#752#> naval<#752#>, <#753#> nuclear<#753#>, or <#754#> HQ<#754#>. Users are given access to certain compartments. To decide if a user has access to a piece of information (or even should be told that it exists) the user's level must be greater than or equal to the classification of the information, and the user must have access to the compartment which the information has been assigned to. A problem with this scheme is that it does not help to discriminate different users of the same level, other access control mechanisms have to be used. The classification and compartment idea can be readily translated to the commercial world; using <#755#> company confidential<#755#>, <#756#> restricted<#756#> for classification and <#757#> accounts<#757#>, <#758#> personnel<#758#> for compartments.