Skip to Main content Skip to Navigation

Definition of a formal framework for specifying security policies. The Or-BAC model and extensions.

Abstract : This thesis presents a new access control model called Or-BAC (Organization-Based Access Control). We aim at overcoming the limitations of the existing models while simplifying the security policy specification. We suggest a more expressive and modular model that enables us to make a distinction between the policy and its concrete implementation. This is obtained by making an abstraction of the traditional access control entities subject, action and object. Actually, subjects are empowered in roles, objects are used in views and actions implement activities. Furthermore, the concept of organization is central in our model. This makes it possible to better analyze interporability between organizations and to model an organization structure. Three other features are tackled in this dissertation. First, in order to obtain dynamic security rules, we introduce the entity context. It enables us to define in which circumstances authorizations must be activated and deactivated. Second, we consider negative authorizations since it allows to more easily specifying complex policies. As conflicts might occur between positive and negative authorizations, we provide a parametric conflict management strategy that allows us to detect and resolve potential conflicts. Finally, we define an administration model called AdOr-BAC. This administration model is fully compliant with Or-BAC and offers convenient and flexible means to manage Or-BAC policies. The last part of the dissertation is dedicated to two implementation works: The application to a network environment and the development of a prototype application, OToKit, used to design Or-BAC policies and to detect and solve conflicts.
Document type :
Domain :
Complete list of metadata

Cited literature [105 references]  Display  Hide  Download
Contributor : Ecole Télécom ParisTech Connect in order to contact the contributor
Submitted on : Thursday, September 8, 2005 - 8:00:00 AM
Last modification on : Friday, October 23, 2020 - 4:37:49 PM
Long-term archiving on: : Thursday, September 30, 2010 - 7:04:20 PM


  • HAL Id : pastel-00001376, version 1



Alexandre Miège. Definition of a formal framework for specifying security policies. The Or-BAC model and extensions.. domain_other. Télécom ParisTech, 2005. English. ⟨pastel-00001376⟩



Record views


Files downloads