Going Beyond MAC and DAC Using Mobile Policies

Abstract

Many access control requirements cannot be automated using traditional mandatory access control (MAC) and discretionary access control (DAC) security mechanisms. Examples include user-attribute-based access control and owner-retained access control for handling specially marked data. While several researchers have identified the need for access controls that provide more flexibility than MAC and DAC, the proposed mechanisms for implementing these controls have several shortcomings. In this paper, we describe an access control mechanism that combines attribute certificates with mobile policy to overcome these shortcomings. Attribute certificates permit fine-grained authorisations based on user attributes, such as group membership, rank, and role. Mobile policies allow application-specific policies to move along with the object to other elements of the system. Mobile policies are expressed using an extension to a high-level definition language that we previously proposed in Reference [5]. © 2002 Kluwer Academic / Plenum Publishers, New York.