Skip to Main content Skip to Navigation
Theses

Definition of a formal framework for specifying security policies. The Or-BAC model and extensions.

Abstract : This thesis presents a new access control model called Or-BAC (Organization-Based Access Control). We aim at overcoming the limitations of the existing models while simplifying the security policy specification. We suggest a more expressive and modular model that enables us to make a distinction between the policy and its concrete implementation. This is obtained by making an abstraction of the traditional access control entities subject, action and object. Actually, subjects are empowered in roles, objects are used in views and actions implement activities. Furthermore, the concept of organization is central in our model. This makes it possible to better analyze interporability between organizations and to model an organization structure. Three other features are tackled in this dissertation. First, in order to obtain dynamic security rules, we introduce the entity context. It enables us to define in which circumstances authorizations must be activated and deactivated. Second, we consider negative authorizations since it allows to more easily specifying complex policies. As conflicts might occur between positive and negative authorizations, we provide a parametric conflict management strategy that allows us to detect and resolve potential conflicts. Finally, we define an administration model called AdOr-BAC. This administration model is fully compliant with Or-BAC and offers convenient and flexible means to manage Or-BAC policies. The last part of the dissertation is dedicated to two implementation works: The application to a network environment and the development of a prototype application, OToKit, used to design Or-BAC policies and to detect and solve conflicts.
Document type :
Theses
Domain :
Complete list of metadatas

Cited literature [105 references]  Display  Hide  Download

https://pastel.archives-ouvertes.fr/pastel-00001376
Contributor : Ecole Télécom Paristech <>
Submitted on : Thursday, September 8, 2005 - 8:00:00 AM
Last modification on : Friday, July 31, 2020 - 10:44:03 AM
Long-term archiving on: : Thursday, September 30, 2010 - 7:04:20 PM

Identifiers

  • HAL Id : pastel-00001376, version 1

Collections

Citation

Alexandre Miège. Definition of a formal framework for specifying security policies. The Or-BAC model and extensions.. domain_other. Télécom ParisTech, 2005. English. ⟨pastel-00001376⟩

Share

Metrics

Record views

551

Files downloads

1197