A major drawback of existing access control systems is that they have all been developed with a specific access control policy in mind. This means that all protection requirements (i.e., accesses to be allowed or denied) must be specified in terms of the policy enforced by the system. While this may be trivial for some requirements, specification of other requirements may become quite complex or even impossible. The reason for this is that a single policy simply cannot capture different protection requirements users may need to enforce on different data. In this paper we take a first step towards a model able to support different access control policies. We propose a logical language for the specification of authorizations on which such a model can be based. The language allows users to specify, together with the authorizations, the policy according to which access control decisions are to be made. Policies are expressed by means of rules which enforce derivation of authorization...
Sushil Jajodia, Pierangela Samarati, V. S. Subrahm