We use cookies to give you a better experience. Carry on browsing if you're happy with this, or read our cookies policy for more information.

Skip main navigation

Staying in control

Staying in control
© Newcastle University
How can we specify who can enter our house? Or borrow our car?
An access control policy is a document describing which accesses are authorised or denied within a system. The person responsible for defining such a policy is usually either a security officer, or the owner of the resource that the policy applies to. For instance, a picture posted on Facebook will be protected by two distinct policies: one from Facebook itself, for instance stating that only the owner can delete it, and the other specified directly by the user, for instance stating that friends of friends are not able to see that picture. If you have a Facebook account, this guide describes in detail what you can configure on your account.
Defining an access control policy is a problem almost as old as computers themselves. A seminal paper by Butler W. Lampson, published in 1971, introduces the concept of an access matrix: whereby each row corresponds to a user, each column to a file, and each cell to the access rights owned by the corresponding user over the corresponding file (the original model is slightly more complex, with the notion of domain, and is a very interesting read. For instance, in the example below, Alice can read both pictures, while only Bob can delete them. In addition, Bob cannot read Picture2.jpg, although he can delete it.

Example of an access control matrix

 Picture1.jpgPicture2.jpg
AliceReadRead
BobRead, DeleteDelete
However, an access matrix is often impractical in modern situations: could you imagine defining such a matrix for all your pictures on Facebook and the billions of Facebook users? Or even for your door lock and all the residents in your city? A lot of research has been done over the last decades to find the right granularity for access control, i.e., which elements should be provided in order to define a policy.
A very popular model is Role-based Access Control, which introduces an abstract notion of role, to which different permissions can be assigned. For instance, the role delivery staff could be created, such that someone associated with this role could open the door of your house, but only between 11.00 and 11:30 on a day you are expecting a delivery.
More recently, the notion of Attribute-based Access Control has been developed, where an attribute can represent any sort of information used to make a security decision, such as name, time, location, role, etc. The standard XACML (eXtensible Access Control Markup Language) is a concrete implementation of Attribute-based Access Control, since its version 3.0, published in January 2013.
These models can be quite helpful, as they can provide the appropriate level of abstraction. However, they do not automatically answer two very important questions:
  • who should define the policy? This is a key problem when designing an authorisation or access control policy: should the owner of the resources be responsible, or should it be the provider of the infrastructure? For instance, in the case of Facebook pictures mentioned above, there are two policies, one by Facebook and one by the user, but in practice, the user policy is provided by default by Facebook, and the user has to actively go and change it. In addition, the user cannot change the policy designed by Facebook.
  • which information should be shared? This question is particularly important with respect to the trade-off between security and privacy. If you share your car with a car club scheme, you might need to know that someone who wants to rent your car has good ratings from other members, and has a valid licence, but you do not need to know their bank details, or even their exact date of birth.
© Newcastle University
This article is from the free online

Cyber Security: Safety at Home, Online, in Life

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education