Composing and combining policies under the policy machine

Authors:
David F. Ferraiolo;Serban Gavrila;Vincent Hu;D. Richard Kuhn
Affiliations:
National Institute of Standards and Technology, Gaithersburg, MD;National Institute of Standards and Technology, Gaithersburg, MD;National Institute of Standards and Technology, Gaithersburg, MD;National Institute of Standards and Technology, Gaithersburg, MD
Venue:
Proceedings of the tenth ACM symposium on Access control models and technologies
Year:
2005

Citing 6
Cited 4

Role-Based Access Control Models

Computer
A role-based access control model and reference implementation within a corporate intranet

ACM Transactions on Information and System Security (TISSEC) - Special issue on role-based access control
Configuring role-based access control to enforce mandatory and discretionary access control policies

ACM Transactions on Information and System Security (TISSEC)
Flexible support for multiple access control policies

ACM Transactions on Database Systems (TODS)
Role-based access control and the access control matrix

ACM SIGOPS Operating Systems Review
Protection

ACM SIGOPS Operating Systems Review

Applying aspect oriented programming to distributed storage metadata management

Proceedings of the 2nd workshop on Best practices in applying aspect-oriented software development
Specification and enforcement of flexible security policy for active cooperation

Information Sciences: an International Journal
The Policy Machine: A novel architecture and framework for access control policy specification and enforcement

Journal of Systems Architecture: the EUROMICRO Journal
An approach for trusted interoperation in a multidomain environment

ATC'06 Proceedings of the Third international conference on Autonomic and Trusted Computing

Quantified Score

Hi-index	0.00

Visualization

Abstract

As a major component of any host, or network operating system, access control mechanisms come in a wide variety of forms, each with their individual attributes, functions, methods for configuring policy, and a tight coupling to a class of policies. To afford generalized protection, NIST has initiated a project in pursuit of a standardized access control mechanism, referred to as the Policy Machine (PM) that requires changes only in its configuration in the enforcement of arbitrary and organization specific attribute-based access control policies. Included among the PM's enforceable policies are combinations of policy instances (e.g., Role-Based Access Control and Multi-Level Security). In our effort to devise a generic access control mechanism, we construct the PM in terms of what we believe to be abstractions, properties and functions that are fundamental to policy configuration and enforcement. In its protection of objects under one or more policy instances, the PM categorizes users and objects and their attributes into policy classes, and transparently enforces these policies through a series of fixed PM functions, that are invoked in response to user or subject (process) access requests.