Abstract
Access control enforces authorization policies in order to prohibit unauthorized users from performing actions that could trigger a security violation. There exist numerous access control models and even more have recently evolved to conform with the challenging requirements of resource protection. That makes it hard to classify the models and choose an appropriate one satisfying security needs. This paper provides an overview of authorization strategies and proposes a rough classification of access control models providing examples for each category. In comparison with other comparative studies, we discuss more access control models including the conventional state-of-the-art models and novel ones. We also summarize each of the literature works after selecting the relevant ones focusing on database systems domain or providing a survey, a taxonomy/classification, or evaluation criteria of access control models. Additionally, the introduced categories of models are analyzed with respect to various criteria that are partly selected from the standard access control system evaluation metrics by the National Institute of Standards and Technology (NIST). Further studies for extending the list of access control models as well as analysis criteria are planned.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Extensible access control markup language (xacml) version 3.0 - oasis standard (2013). http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html
Information Technology - Next Generation Access Control - Generic Operations And Data Structures (NGAC-GOADS). American National Standard for Information Technology INCITS 526–2016 (2016)
Information technology - Next Generation Access Control - Functional Architecture (NGAC-FA). American National Standard for Information Technology INCITS 499–2013 (March 2013)
Abrams, M.D.: Renewed understanding of access control policies. In: Proceedings of the 16th National Computer Security Conference-Information System Security: User Choices, pp. 87–96 (1995)
Almehmadi, A., El-Khatib, K.: Authorized! access denied, unauthorized! access granted. In: Proceedings of the 6th International Conference on Security of Information and Networks, pp. 363–367 (2013)
Astrahan, M.M., et al.: System R: relational approach to database management. ACM Trans. Database Syst. (TODS) 1(2), 97–137 (1976)
Atlam, H.F., Azad, M.A., Alassafi, M.O., Alshdadi, A.A., Alenezi, A.: Risk-based access control model: a systematic literature review. Future Internet 12(6), 103 (2020). https://doi.org/10.3390/fi12060103
Bell, D.E., La Padula, L.J.: Secure computer system: Unified exposition and multics interpretation. Technical report, MITRE CORP BEDFORD MA (1976)
Benantar, M.: Access Control Systems: Security, Identity Management and Trust Models. Springer Science & Business Media, Heidelberg (2005)
Bertino, E.: Data security. Data Knowl. Eng. 25(1–2), 199–216 (1998)
Bertino, E., Bettini, C., Ferrari, E., Samarati, P.: Supporting periodic authorizations and temporal reasoning in database access control. In: VLDB, pp. 472–483. Citeseer (1996)
Bertino, E., Bettini, C., Ferrari, E., Samarati, P.: A temporal access control mechanism for database systems. IEEE Trans. Knowl. Data Eng. 8(1), 67–80 (1996)
Bertino, E., Bonatti, P.A., Ferrari, E.: TRBAC: a temporal role-based access control model. In: Proceedings of the fifth ACM Workshop on Role-based Access Control, pp. 21–30 (2000)
Bertino, E., Ghinita, G., Kamra, A.: Access Control for Databases: Concepts and Systems. Now Publishers Inc., Norwell (2011)
Bertino, E., Samarati, P., Jajodia, S.: An extended authorization model for relational databases. IEEE Trans. Knowl. Data Eng. 9(1), 85–101 (1997)
Bertino, E., Sandhu, R.: Database security-concepts, approaches, and challenges. IEEE Trans. Dependable Secur. Comput. 2(1), 2–19 (2005)
Bogaerts, J., Decat, M., Lagaisse, B., Joosen, W.: Entity-based access control: supporting more expressive access control policies. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 291–300 (2015)
Brewer, D.F., Nash, M.J.: The Chinese wall security policy. In: IEEE Symposium on Security and Privacy, vol. 1989, p. 206. Oakland (1989)
Browder, K., Davidson, M.A.: The virtual private database in oracle9ir2. Oracle Tech. White Pap. Oracle Corporation 500(280) (2002)
Cheng, P.C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: an experiment on quantified risk-adaptive access control. In: 2007 IEEE Symposium on Security and Privacy (SP 2007), pp. 222–230. IEEE (2007)
Clark, D.D., Wilson, D.R.: A comparison of commercial and military computer security policies. In: 1987 IEEE Symposium on Security and Privacy, pp. 184–184. IEEE (1987)
Damiani, M.L., Bertino, E., Catania, B., Perlasca, P.: Geo-RBAC: a spatially aware RBAC. ACM Trans. Inf. Syst. Secur. (TISSEC) 10(1), 2-es (2007)
Danwei, C., Xiuli, H., Xunyi, R.: Access control of cloud service based on UCON. In: Jaatun, M.G., Zhao, G., Rong, C. (eds.) CloudCom 2009. LNCS, vol. 5931, pp. 559–564. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10665-1_52
Eckert, C.: IT-Sicherheit, 9th edn. De Gruyter Oldenbourg, Munich (2014)
Ferraiolo, D., Chandramouli, R., Kuhn, R., Hu, V.: Extensible access control markup language (xacml) and next generation access control (ngac). In: Proceedings of the 2016 ACM International Workshop on Attribute Based Access Control, pp. 13–24 (2016)
Fong, P.W.: Relationship-based access control: protection model and policy language. In: Proceedings of the first ACM Conference on Data and Application Security and Privacy, pp. 191–202 (2011)
Gao, X.W., Jiang, Z.M., Jiang, R.: A novel data access scheme in cloud computing. In: Advanced Materials Research, vol. 756, pp. 2649–2654. Trans Tech Publ (2013)
Gates, C.: Access control requirements for web 2.0 security and privacy. IEEE Web 2, 12–15 (2007)
Griffiths, P.P., Wade, B.W.: An authorization mechanism for a relational database system. ACM Trans. Database Syst. (TODS) 1(3), 242–255 (1976)
Harris, S., Maymi, F.: CISSP All-in-One Exam Guide. McGraw-Hill, New York (2010)
Hota, C., Sanka, S., Rajarajan, M., Nair, S.K.: Capability-based cryptographic data access control in cloud computing. Int. J. Adv. Netw. Appl. 3(3), 1152–1161 (2011)
Hu, H., Ahn, G.J., Jorgensen, J.: Multiparty access control for online social networks: model and mechanisms. IEEE Trans. Knowl. Data Eng. 25(7), 1614–1627 (2012)
Hu, V.C., et al.: Guide to attribute based access control (abac) definition and considerations (2014). https://doi.org/10.6028/NIST.SP.800-162, https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-162.pdf
Hu, V.C., Ferraiolo, D.F., Chandramouli, R., Kuhn, D.R.: Attribute-Based Access Control. Artech House, London (2017)
Hu, V.C., Scarfone, K.: Guidelines for Access Control System Evaluation Metrics. National Institute of Standards and Technology, Gaithersburg, MD (2012). https://doi.org/10.6028/NIST.IR.7874
Kalam, A.A.E., et al.: Organization based access control. In: Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks, pp. 120–131. IEEE (2003)
Karatas, G., Akbulut, A.: Survey on access control mechanisms in cloud computing. J. Cyber Secur. Mobil. (2018). https://doi.org/10.13052/2245-1439.731
Keefe, T.F., Tsai, W.T., Srivastava, J.: Database concurrency control in multilevel secure database management systems. IEEE Trans. Knowl. Data Eng. 5(6), 1039–1055 (1993)
Kriti, I.K.: Database security & access control models: a brief overview. Int. J. Eng. Res. Technol. (IJERT) 2(5) (2013)
Li, J., et al.: Fine-grained data access control systems with user accountability in cloud computing. In: 2010 IEEE Second International Conference on Cloud Computing Technology and Science, pp. 89–96. IEEE (2010)
Majumder, A., Namasudra, S., Nath, S.: Taxonomy and classification of access control models for cloud environments. In: Mahmood, Z. (ed.) Continued Rise of the Cloud. CCN, pp. 23–53. Springer, London (2014). https://doi.org/10.1007/978-1-4471-6452-4_2
Matt, B.: Computer Security: Art and Science. Addison-Wesley Professional, Boston (2018)
Mell, P., Grance, T., et al.: The nist definition of cloud computing (2011)
Molloy, I., Dickens, L., Morisset, C., Cheng, P.C., Lobo, J., Russo, A.: Risk-based security decisions under uncertainty. In: Proceedings of the second ACM Conference on Data and Application Security and Privacy, pp. 157–168 (2012)
Ni, Q., Bertino, E., Lobo, J.: Risk-based access control systems built on fuzzy inferences. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 250–260 (2010)
Park, J., Sandhu, R.: Originator control in usage control. In: Proceedings Third International Workshop on Policies for Distributed Systems and Networks, pp. 60–66. IEEE (2002)
Petkovic, M., Jonker, W.: Security, Privacy, and Trust in Modern Data Management. Springer, Heidelberg (2007)
Qiu, J., Tian, Z., Du, C., Zuo, Q., Su, S., Fang, B.: A survey on access control in the age of internet of things. IEEE Internet Things J. 7(6), 4682–4696 (2020). https://doi.org/10.1109/JIOT.2020.2969326
Rajbhandari, L., Snekkenes, E.A.: Using game theory to analyze risk to privacy: an initial insight. In: Fischer-Hübner, S., Duquenoy, P., Hansen, M., Leenes, R., Zhang, G. (eds.) Privacy and Identity 2010. IAICT, vol. 352, pp. 41–51. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20769-3_4
Sahafizadeh, E., Parsa, S.: Survey on access control models. In: 2010 2nd International Conference on Future Computer and Communication, vol. 1. IEEE (2010)
Samarati, P., de Vimercati, S.C.: Access control: policies, models, and mechanisms. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 137–196. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45608-2_3
Sandhu, R.S., Samarati, P.: Access control: principle and practice. IEEE Commun. Mag. 32(9), 40–48 (1994). https://ieeexplore.ieee.org/document/312842
Sifou, F., Kartit, A., Hammouch, A.: Different access control mechanisms for data security in cloud computing. In: Proceedings of the 2017 International Conference on Cloud and Big Data Computing, pp. 40–44. ACM, New York NY (2017). https://doi.org/10.1145/3141128.3141133
Sun, L., Wang, H.: A purpose based usage access control model. Int. J. Comput. Inf. Eng. 4(1), 44–51 (2010)
Tamizharasi, G., Balamurugan, B., Manjula, R.: Attribute based encryption with fine-grained access provision in cloud computing. In: Proceedings of the International Conference on Informatics and Analytics, pp. 1–4 (2016)
Tapiador, A., Carrera, D., Salvachúa, J.: Tie-RBAC: an application of RBAC to social networks. arXiv preprint arXiv:1205.5720 (2012)
Wu, Y., Suhendra, V., Guo, H.: A gateway-based access control scheme for collaborative clouds. In: Proceedings of the 7th International Conference on Internet Monitoring and Protection, pp. 54–60 (2012)
Xie, Y., Wen, H., Wu, B., Jiang, Y., Meng, J.: A modified hierarchical attribute-based encryption access control method for mobile cloud computing. IEEE Trans. Cloud Comput. 7(2), 383–391 (2015)
Xu, Y., Zeng, Q., Wang, G., Zhang, C., Ren, J., Zhang, Y.: A privacy-preserving attribute-based access control scheme. In: Wang, G., Chen, J., Yang, L.T. (eds.) SpaCCS 2018. LNCS, vol. 11342, pp. 361–370. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-05345-1_31
Zeng, W., Yang, Y., Luo, B.: Content-based access control: use data content to assist access control for large-scale content-centric databases. In: 2014 IEEE International Conference on Big Data (Big Data), pp. 701–710. IEEE (2014)
Zhu, Y., Hu, H., Ahn, G.J., Huang, D., Wang, S.: Towards temporal access control in cloud computing. In: 2012 Proceedings IEEE INFOCOM, pp. 2576–2580. IEEE (2012)
Acknowledgement
The research reported in this paper has been partly supported by the LIT Secure and Correct Systems Lab funded by the State of Upper Austria. The work was also funded within the FFG BRIDGE project KnoP-2D (grant no. 871299).
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Mohamed, A., Auer, D., Hofer, D., Küng, J. (2021). Authorization Strategies and Classification of Access Control Models. In: Dang, T.K., Küng, J., Chung, T.M., Takizawa, M. (eds) Future Data and Security Engineering. FDSE 2021. Lecture Notes in Computer Science(), vol 13076. Springer, Cham. https://doi.org/10.1007/978-3-030-91387-8_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-91387-8_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-91386-1
Online ISBN: 978-3-030-91387-8
eBook Packages: Computer ScienceComputer Science (R0)