Access Control Models: State of the Art and

Comparative Study

Mouad Mammass* & Fattehallah Ghadi

Mathematical Modeling and Simulation Team (MMS)
Faculty of Science, Ibn Zohr University
Agadir, Morocco
mouad. mammass@gmail.com, f.ghadi@uiz.ac.ma

Abstract- This paper is devoted to the state of the art on the
access control models and a more specific classification of
security models, which are: Access Control, Flow Control and
Administration. We propose a comparative study of access
control models and we evaluate their advantages and limitations
and also their security policies. Then we present models of flow
control and finally models of administration.
Keywords-security models; access control models; flow
control;security; policy; organization;...
I. INTRODUCTION
Research in the field of information security systems and
access control were initiated in the early seventies by the
United States Department of Defense, following the emergence
of new technical, scientific and social challenges.
Thus, for over forty years, several security models have
been successfully developed and implemented within
companies or computer system. May be mentioned the models:
DAC [8], MAC [lO], I-BAC [18], R-BAC [1,9,15], T-BAC
[12], V-BAC [24], T-MAC [14] or Or-BAC [25]. New models
generally appear to respond to military problems that require a
high degree of confidentiality, while the problems of civil order
are more interested in ensuring the integrity.
Access control models are often declined following the
main security policies : Discretionary (discretionary access
control DAC), Mandatory (mandatory access control MAC),
Role-based (role based access control R-BAC) or based on the
organization (organization-based access control Or-BAC ).
There are also a number of combinations of these models
such as T-MAC (team-based access control) and T-BAC (task­
based access control), to refine and to adapt the logical access
control depending on the environment in which it is
implemented and which are more or less adapted to the security
policy of the company.
to models of flow control and at the end, section 4 presents the
administration part.
II. ACCES CONTROL
A. Generalities
Access control consists in verifying whether an entity
requesting the access to a resource has the rights necessary to.
This is governed by three levels of abstraction: the access
control policy, the access control model and the access control
mechanism [31].
J) Access Control Policy
An access control policy defines the rights, prohibitions,
audited information as well as authorized persons to
applications and data, or to change the policy of access
control. The security policy aims to ensure the confidentiality,
integrity, non-repudiation and availability. In addition, access
control policies adapt over time depending of standards or
regulations of the company strategy.
2) Access Control Model
The model of access control is the intermediary allowing
to bridge the gap between policy and implementation. The
model will help to support the predefmed policies.
We will see later that the DAC model gives the possibility
to the resource's owner to manage its permissions. This model
ensures data confidentiality.
3) Access Control Mechanism
The access control mechanism allows the implementation
of the predefined security policy. To determine if a subject can
read information contained in an object, the mechanism can
check if that permission is included in the list of access
control.

In this paper, we are interested in a more specific B. State of the Art on Access Control models
classification of security models, which are: Access Control
[11], Flow Control [3] and Administration.
J) I-BAe Model

The I-BAC model (Identity Based Access Control) is the

In section 2, we present generalities about access control
first model proposed in the literature for access control and it's
and a state of the art on the different access control models
the most simple [18]. It introduces the fundamental concepts of
pointing their advantages and limitations. Section 3 is devoted
subject, object and action:

978-1-4799-4647-1/14/$31.00 ©2014 IEEE

 • The subject is the active entity and most often refers to a
user or an application executing for the benefit of a user.
• The object is the passive entity that refers to information
or resource to which a subject can access to perform an
action.
• The action means the desired effect when a subject
accesses an object (read, write, modify, etc ... ).
The aim of I-BAC model is to control any direct access of
subjects to objects through the use of actions. This control is
based on the identity of the subject and the object identifier.
However, this model has limitations because when creating
a new subject or a new object, it is necessary to update the
authorization policy to define new permissions associated with
that subject or object, which can be cumbersome when the
number of entities is important.
While the I-BAC model can only provide rights for users
represented by its applicative account, we see that the R-BAC
model focuses first to group subjects based on common
attributes.
2) R-BAC Model
The R-BAC model (Role Based Access Control) was
introduced by David Ferraiolo and Richard Kuhn [7,23] and
proposes to structure the expression of the authorization policy
around the concepts of sessions and roles. Rather, the roles
represent the relationship between subjects and objects. So in
order to perform an action on an object, the subject must have
first the role with the suitable permissions.
Roles are assigned to subjects in accordance with the
function assigned to these subjects in the organization. The
basic principle of the R-BAC model is to consider that the
permissions are directly related to roles and not to the
individual.
Compared to the model I-BAC, management authorization
policy is simplified since it is not necessary to update the
policy when a new subject is created.
However, the actions generally correspond to elementary
commands, such as reading the contents of an object or writing
an object. But in recent applications, the need arises to control
of the achievements of composite actions, called tasks or
activities.
3) T-BAC Model
The T-BAC model (Task Based Access Control [20]) was
the first model to introduce the concept of task. In other words,
access is granted depending on the task, so the acces
verification compares this task to the roles containing the task.
In other words, tasks can be considered as "sub-roles."
Obviously the T-BAC model adds a huge improvement
compared to R-BAC, as it gives a certain granularity and
dynamic work, but still remains an extended form of the R­
BAC model.
4) V-BAC model
This security model proposed by SQL for relational
database allows structuring objects of a security policy and it is
based on the concept of view. It will facilitate the expression
and management of an authorization policy. A view is a set of
access rights, which are either permissions or prohibitions for
operations on objects.
The concept of view is then used to structure the expression
of an authorization policy using GRANT (which permits to
give new permission to a user) and REVOKE (which
eliminates permission in the possession of a user). So a view is
an efficient way to provide access to all objects contained in
the view.
However, in recent applications, it's often necessary to
consider several organizations simultaneously.
5) T-MAC model
The T-MAC model (Team-Based Access Control) was
developed by R.K. Thomas [26] to control access to the
activity of collaboration that will be better accomplished by the
collaborators, hence the introduction of the concept of team. In
this model, permissions are associated with roles as well as
teams, where a "team" is an abstraction that encapsulates a
collection of users with specific roles in order to accomplish a
task or a specific objective in collaboration. The permissions
that a subject has resulted from the combination of permissions
associated with the roles he has in the team and authorizations
on the team to which belongs the subject.
6) Or-BAC model
Policies and security models that we presented do not take
into account:
• Rules that specify permissions or contextual
prohibitions;
• Rules that specify obligations or recommendations,
models and policies of conventional access control are
generally limited to permissions;
• Specific rules for the organization. In particular, the
organization can be structured into several sub­
organizations, each with its own security policy. The
security policy should thus provide a homogeneous
framework for managing multiple security policies
within the same organization.
The Or-BAC model is the result of work carried out RNRT
MP6 [30] project. The objective of this model is to allow the
modeling of a variety of security policies. To reach this goal,
and to reduce the complexity of managing access rights, the
Or-BAC model is based on four main principles:
• The organization is the central entity policies and
security models;
• There are two levels of abstraction :
o a concrete level: subject, action, object,
o an abstract level: the role, activity, view,
 • The possibility to express permIssIOns, prohibitions,
obligations and recommendations [21,22];
Abstract level

• The possibility to express contexts.

It is important to note that the organization is an agreement
between subjects with specific roles for forming this
organization.
Figure (1) expresses that users and organizations are
considered as subjects (active entities), and can as such, play
roles:

Concrete level

Fig. 1. Subject Organization and Role Fig. 2. Schema of Or-BAC model interactions [29].

So in addition to having a policy independent of its

implementation security, the Or-BAC model takes into account
contexts, hierarchies and delegation. The introduction of the
concrete and abstract levels allows structuring entities as
shown in Figure (2).
C. Comparative table ofAccess Control Models
As it was noted in this state of the art on the access control
models, each model has its strengths and limitations, and
corresponds to specific activities. Table (1) presents a synthesis
of advantages and limits of the models in this state of the art.

Model Basic Concepts Advantages Limits

-The Control of any direct access of -Simplicity.

-Cumbersome update of
I-BAC subjects to objects through the use of -Based on elementary concepts (subject, object and
authorization policy.
actions. action).
-It Introduces the concept of role.
-Access policy simplified by the management of roles -Do not allow the control of
R-BAC -Groups the subjects based on common
instead of SUbjects. composite or complex actions ...
attributes.
-It Introduces the concept of Task
-Do not allow the structuring of
T-BAC -Access granted depending on the task -Granularity and a Dynamics of work.
objects.

-Is based on the concept of view. -Does not take into account the
V-BAC -Allows the structuring of objects in a -Allows access to all objects in the view. simultaneous cooperation of users
security policy. from various organizations.

-Allows the encapsulation of a group of users with

-Is based on the concept of team. -Redundancy in the authorizations
T-MAC specific roles to accomplish a task or a specific objective
granted to the subject and the team.
by collaborating.

-Allows specification of prohibitions, obligations and

-Do not support very large
-It Introduces the concepts of organization recommendations.
Or-BAC infrastructures.
and context. -Independence between security policy and its
-No integrity control.
implementation.

Tab 1. Comparative Table of Access Control Models

of these models is precisely to ensure containment of

III. FLOW CONTROL
Access control models presented in Section 2, cannot
prevent malicious actions. This does not mean that these access
control models are useless. But if we want to prevent attacks by
Trojans, it suffices to use these models to define the policy of
authorization for users and trusted application, that is to say,
applications that we can guarantee without trap.
To control the execution of applications that can cause an
attack, other models called flow control models (or MAC,
Mandatory Access Control) have been defined. The objective
applications to prevent attacks by Trojans.
As several models of MAC type for confidentiality have
been defmed, we present here the most famous of them: the
Bell-LaPadula model [2,3]. We then present the Biba model of
MAC type for integrity[5].
Flow control models for the confidentiality and integrity are
complementary: they must be combined to ensure both the two
security properties (confidentiality and integrity).
A. Bell-LaPadula Model (Confidentiality) Conversely, in the Biba model, the information cannot migrate
Confidentiality is one of the most important concepts to to higher levels (high integrity) otherwise the contaminated
integrate into an organization that possesses sensitive data (Virus, Trojan, etc ... ) from the lower levels (of low
information and making subject to classification by level. The integrity) could contaminate data of higher levels.
reference model in this domain is the Bell-LaPadula model that
In general, these constraints correspond to dual properties
was the first model of MAC type developed by David Bell and
of these of Bell-LaPadula : "No Write Up" and "No Read
Bell-LaPadula in 1973 [2,3], to formalize the multi-level
Down".
security policy of the "US Department of Defense".
So the authorization policy associated to subjects is simple: • No Write Up: A subject with a defined level of security
can only create content at his level or below. In the case
• A subject has permission to read an object if its level of of contamination, the Trojan cannot attack the data with
empowerment is greater than or equal to the sensitivity higher level of sensitivity than the one in which the
degree of the object. This condition is called "No Read virus was installed, it is called containment.
Up"
• No Read Down: A subject can only see content at or
• A subject has permission to write on an object only if
above its level. In the case of contamination, the
the sensitivity degree of the object is greater than or
attacker does not have the ability to control the Trojans
equal to the level of empowerment of the subject. This
at distance.
condition is called "No Write Down".
• A subject can only create content at its security level or
above (a subject with a Secret level can create objects
Top Secret
with the following degrees of sensitivity: Secret and
Top Secret, but not Confidential or Unclassified).

Secret

Resource

Top Secret

/
Confi denti al

User
.. ' � Secret
�
Resource
Fig. 4. Example of the Biba model

� Confi denti al
With constraints, the number of subjects that can change a
object is limited and the objective of integrity is achieved.

IV. ADMINISTRATION

Fig. 3. Example of the Bell-LaPadula model
Confidentiality is achieved by this model by limiting the
number of subjects who read access to sensitive objects at a
higher level than their own.
B. Biba Model (Integrity)
The usual definition of mandatory access control specifies
that the restrictions on the flow of information are independent
of the subject's actions. Although this defmition often refers to
the Bell-LaPadula model for confidentiality, several systems
set up this type of control to ensure integrity (such as banks).
The Biba model [4,19], called Bell-LaPadula inverted [29],
is the first model that takes into account the integrity. Indeed,
Biba noticed that confidentiality and integrity are dual
concepts. Confidentiality is a constraint on who is allowed to
read the object while integrity is a constraint on who is allowed
to write on the object or change it.
Thus, in the Bell-LaPadula model, information cannot
circulate to lower levels to prevent leakage of sensitive data.
The administration is the management and control of all the
components of the security policy such as users, actions,
objects, roles, permissions, etc.
The specification of the security policy and its update are
the two most important administration tasks. Security templates
are not all accompanied by a model for the administration. The
discretionary model of Harrison, Ruzzo and Ullman (HRU)
[11,13] is the most famous administration model.
The discretionary access control (discretionary access
control, DAC [18]) is a conceptual model whose principle is to
limit access to objects in relation to the identity of users
(human, machine, etc ... ) or groups to which they belong.
This model is based on the concept of property, each object
(or resource) has a proprietary who decides what subjects who
have access to this object.
The control of an object is said discretionary in the sense
that a proprietary with a predefined access authorization can
delegate to another subject the access rights (except restriction
of mandatory access control).

This type of policy has major flaws:
• The overall security policy can be compromised by a
single subject if he commits an error intentionally or
not,
• At each change of entity (subject or object), you must
recalculate the matrix of access control,
• A subject who is able to gain access to resources may
delegate the access rights to an unauthorized subject.
HRU is a matricial model which is defined from a set of
subjects, a set of objects and a set of rules of administration.
However, its implementation consumes lots of memory
when the number of users is important, and thus the
constitution and maintenance of groups are delicate because a
subject can belong to several groups. The HRU model
nevertheless has the advantage of being simple to describe,
allows a simply modeling and have a decentralized policy.
V. CONCLUSION
We presented in this paper a state of the art on access
control models by showing their advantages and limitations.
We also presented the best known models of flow control and
administration.
We can say that the Or-BAC model is the most evolved and
which associated with a flow control model, allowing to take
into account the integrity, would be more complete.
As perspective, we will focus on the implementation of a
case of an organization.
ACKNOWLEDGMENT
This work is supported by the National Center for
Scientific and Technical Research (CNRST) by an excellence
scholarship (J 006/009).
REFERENCES
[I] J. Barkley. Implementing role based access control using object
technology. First ACM Workshop on Role-Based Access Control, 1995.
[2] D.E. Bell et L.J. La Padula, Security computer systems. Mathematical
Foundations. Hanscom AFB, Bedford. MA. Rep. FSD-TR-73-278. vol.l
ESD/AFSC, 1973.
[3] D.E. Bell et L.J. La Padula, Secure computer systems. Unified
exposition and MULTICS interpretation, MITRE Corp. MTR-2997,
1975.
[4] K.J. Biba, Integrity considerations for secure computer systems.
Technical Report ESD-TR-76-372, USAF Electronic Systems Division,
Bedford, MA, Avril 1977.
[5] D.D. Clark et D.R. Wilson, A comparison of commercial and military
computer security policies. IEEE, 1987.
[6] U.S. Dep. Defense, Defense trusted computer system evaluation criteria.
Rep. DOD, 5200.28-STD, 1985.
[7] 1. B. D. Joshi, E. Bertino et A. Ghafoor, Formal foundations for hybrid
role hierarchy. ACM Transactions in Information and Systems Security,
Novembre, 2007.
[8] R.J. Feiertag, A technique for proving specification are multilevel
secure. Computer Science Lab Report, CSL-I09. Menlo Park Cal. : SRI
International, 1980.
[9] S. Gavrila et J. Barkley, Formal specification for role based access
control user-role and role-role relationship management. Third ACM
Workshop on Role-Based Access Control, 1998.
[10] C.E. Landwehr, c.L. Heitmeyer et J. McLean, A security model for
military message system. ACM Trans. Comput. Syst, Vol. 2 :198-222,
1984.
[II] B.W. Lampson, Protection. ACM, Vol.8 N I :18-24, Jan 1974.
[12] N. Dimmock, J. Bacon, D. Ingram et K. Moody, Risk models for trust­
based access control (tbac). iTrust. International conference. Paris,
Springer Berlin vo1.3477 No3.
[l3] M.A. Harrizon, W.L. Ruzzo et 1.0. Ullman, Protection in operating
systems. ACM, Vo1.l9 N. 8 :461-471, Aofit 1976.
[14] Roshan K. Thomas, Team-based access control (tmac) : a primitive for
applying role-based access controls in collaborative environments.
Proceedings of the second ACM workshop on Role-based access
control, pages 13-19, 1997.
[15] R. E. Brooks, Role-based access control ..www.rbac.com ...
[16] Fabien, OrBAC: Organization Based Access Control "www.orbac.org"
[17] M.Abrams, K.Eggers, L.LaPadula et I.Olson. A generalized framework
for access control : An informal description. Proceedings of the 13th
National Computer Security Conference, Washington, Octobre 1990.
[18] B. Lampson, Protection. 5th Princeton Symposium on Information
Sciences and Systems, pages 437-443, Mars 1971.
[19] K. 1. Biba, Integrity consideration for secure computer systems.
Technical Report MTR-3153, The MITRE Corporation, Juin 1975.
[20] R. Thomas et R. Sandhu, Task-based Authorization Controls (TBAC): A
Family of Models for Active and Enterprise-oriented Authorization
Management. 11th IFIP Working Conference on Database Security,
Lake Tahoe, California, USA, 1997.
[21] N. Damianou, N. Dulay, E. Lupu et M. Sloman, The Ponder Policy
Specification Language. International Workshop, Policies for
Distributed Systems and Neworks (Policy 2001). Bristol, UK, 29-31
Janvier 200 I.
[22] C. Bettini, S. Jajodia, X. S. Wang et D. Wijesekera, Obligation
Monitoring in Policy Management. International Workshop, Policies for
Distributed Systems and Neworks (Policy 2002), Monterey CA, 5-7 Juin
2002.
[23] R. Sandhu, E. 1. Coyne, H. L. Feinstein et C.E. Youman. Role-based
access control models. IEEE Computer, 29(2):38-47, 1996.
[24] R. Lentzner.,SQL 3 : Initiation et Programmation, 2004.
[25] A. Abou EI Kalam, R. EIBaida, P. Balbiani, S. Benferhat, F. Cuppens,
Y. Deswarte, A. Miege, c. Saurel et G. Trouessin, Or-BAC: un modele
de controle d'acces base sur les organisations, Cahiers francophones de
la recherche en securite de I'information, Numero II, ler trimestre
2003,pp30-43.
[26] C. K. Georgiadis , I. Mavridis , G. Pangalos et R. K. Thomas , Flexible
Team-based Access Control Using Contexts, 2001.
[27] T. Albain, "L'insuffisance du modele R-BAC", Septembre 2011.
[28] A. Ghadi, Modele hierarchique de controle d'acces d'UNIX base sur un
graphe de roles, These, Janvier 2010.
[29] Y. Deswarte et L. Me, Traite IC2 Securite des reseaux et systemes
repartis, tome 2, septembre 2005
[30] RNRT MP6 project (communication and information system models and
security policies of health care and social matters).
[31] A. Jumelet, Le controle d'acces logique: gestion des autorisations,
TechNet Blogs, Novembre 2010.