|
|
Ph.D. Infos
Title:
|
Definition of a formal framework for specifying security policies. The Or-BAC model and extensions.
|
Defended:
|
june 27th, 2005 at Télécom Paris.
|
Keywords:
|
Or-BAC, security policy, access control,
context, conflict management, administration, AdOr-BAC, OToKit.
|
Download:
|
PDF version
|
|
Abstract:
This thesis presents a new access control model called Or-BAC
(Organization-Based Access Control). We aim at overcoming the
limitations of the existing models while simplifying the security
policy specification. We suggest a more expressive and modular
model that enables us to make a distinction between the policy and
its concrete implementation.
|
This is obtained by making an
abstraction of the traditional access control entities subject,
action and object. Actually, subjects are empowered in
roles, objects are used in views and actions implement
activities. Furthermore, the concept of organization is central
in our model. This makes it possible to better analyze
interporability between organizations and to model an organization
structure by designing hierarchies of organization.
|
Three other
features are tackled in this dissertation. First, in order to
obtain dynamic security rules, we introduce the entity context. It
enables us to define in which circumstances authorizations must be
activated and deactivated. Second, we consider negative
authorizations since it allows to more easily specifying complex
policies. As conflicts might occur between positive and negative
authorizations, we provide a parametric conflict management
strategy that allows us to detect and resolve potential conflicts.
Finally, we define an administration model called AdOr-BAC. This
administration model is fully compliant with Or-BAC and offers
convenient and flexible means to manage Or-BAC policies.
|
The last
part of the dissertation is dedicated to two implementation works:
The application to a network environment and the development of a
prototype application, OToKit, used to design Or-BAC policies and
to detect and solve conflicts.
|
Supervisor
University
Laboratory
Financing
|
| | |