Constraints-Based Access Control

Abstract

The most important aspect of security in a database after establishing the authenticity of the user is its access control mechanism. The ability of this access control mechanism to express the security policy can make or break the system. This paper introduces constraints-based access control (CBAC) - an access control mechanism that general associations between users and permissions are specified by the rules (or constraints) governing the access rights of each user. This association is not restricted to static events but can include dynamic factors as well. One of the many advantages of CBAC is that even a static CBAC is a generalisation of most of the access control mechanism in use today. We demonstrate how CBAC can efficiently simulate role-based access control (RBAC) and access control list (ACL). In fact, CBAC allows the introduction of any abstract concepts as one would do roles in RBAC. On top of that, CBAC also allows the users to specify interactions between these concepts. Any flexibile access control method usually raises concerns over its time efficiency. We advocate the use of partial solutions to the access control constraints to improve the efficiency of CBAC.