How can we specify who can enter our house? Or borrow our car?
An access control policy
is a document describing which accesses are authorised or denied within a system. The person responsible for defining such a policy is usually either a security officer, or the owner of the resource that the policy applies to. For instance, a picture posted on Facebook will be protected by two distinct policies: one from Facebook itself, for instance stating that only the owner can delete it, and the other specified directly by the user, for instance stating that friends of friends are not able to see that picture. If you have a Facebook account, this guide
describes in detail what you can configure on your account.
Defining an access control policy is a problem almost as old as computers themselves. A seminal paper by Butler W. Lampson
, published in 1971, introduces the concept of an access matrix
: whereby each row corresponds to a user, each column to a file, and each cell to the access rights owned by the corresponding user over the corresponding file (the original model is slightly more complex, with the notion of domain
, and is a very interesting read. For instance, in the example below, Alice can read both pictures, while only Bob can delete them. In addition, Bob cannot read Picture2.jpg, although he can delete it.
Example of an access control matrix
However, an access matrix is often impractical in modern situations: could you imagine defining such a matrix for all your pictures on Facebook and the billions of Facebook users? Or even for your door lock and all the residents in your city? A lot of research has been done over the last decades to find the right granularity for access control, i.e., which elements should be provided in order to define a policy.
A very popular model is Role-based Access Control
, which introduces an abstract notion of role
, to which different permissions can be assigned. For instance, the role delivery staff
could be created, such that someone associated with this role could open the door of your house, but only between 11.00 and 11:30 on a day you are expecting a delivery.
More recently, the notion of Attribute-based Access Control
has been developed, where an attribute can represent any sort of information used to make a security decision, such as name, time, location, role, etc. The standard XACML
(eXtensible Access Control Markup Language
) is a concrete implementation of Attribute-based Access Control, since its version 3.0, published in January 2013.
These models can be quite helpful, as they can provide the appropriate level of abstraction. However, they do not automatically answer two very important questions:
- who should define the policy? This is a key problem when designing an authorisation or access control policy: should the owner of the resources be responsible, or should it be the provider of the infrastructure? For instance, in the case of Facebook pictures mentioned above, there are two policies, one by Facebook and one by the user, but in practice, the user policy is provided by default by Facebook, and the user has to actively go and change it. In addition, the user cannot change the policy designed by Facebook.
- which information should be shared? This question is particularly important with respect to the trade-off between security and privacy. If you share your car with a car club scheme, you might need to know that someone who wants to rent your car has good ratings from other members, and has a valid licence, but you do not need to know their bank details, or even their exact date of birth.