Miège, 2005

Abstract

This thesis presents a new access control model called Or-BAC (Organization-Based Access Control). We aim at overcoming the limitations of the existing models while simplifying the security policy specification. We suggest a more expressive and modular model that enables us to make a distinction between the policy and its concrete implementation.

This is obtained by making an abstraction of the traditional access control entities subject, action and object. Actually, subjects are empowered in roles, objects are used in views and actions implement activities. Furthermore, the concept of organization is central in our model. This makes it possible to better analyze interporability between organizations and to model an organization structure by designing hierarchies of organization.

Three other features are tackled in this dissertation. First, in order to obtain dynamic security rules, we introduce the entity context. It enables us to define in which circumstances authorizations must be activated and deactivated. Second, we consider negative authorizations since it allows to more easily specifying complex policies. As conflicts might occur between positive and negative authorizations, we provide a parametric conflict management strategy that allows us to detect and resolve potential conflicts. Finally, we define an administration model called AdOr-BAC. This administration model is fully compliant with Or-BAC and offers convenient and flexible means to manage Or-BAC policies.

The last part of the dissertation is dedicated to two implementation works: The application to a network environment and the development of a prototype application, OToKit, used to design Or-BAC policies and to detect and solve conflicts.