The formulary model for flexible privacy and access controls

Abstract

We have defined and demonstrated a model of access control which allows real-time decisions to be made about privileges granted to users of a data base. Raw data need appear only once in the data base and arbitrarily complex access control programs can be associated with arbitrarily small fragments of this data. The desirable characteristics for an access control method laid out in the section on access control methods are all present (though we have not yet run enough experiments to make general statements about efficiency): (1) No arbitrary constraint (such as segmentation or sensitivity levels) is imposed on data or programs. (2) The method allows control of individual data elements. Its efficiency depends on the specific system involved and the particular controls used. (3) No extra storage or time is required to describe data which the user does not desire to protect. (4) The method is machine-independent and also independent of file structure. The efficiency of each implementation depends mainly on the adequacy of the formulary method for the particular data structures and application involved. (5) The discussion above illustrates the modularity of the formulary mode.