It has been widely recognized that access control rules for computer resources are difficult to express and manage.  There have been many proposals for policy languages, but current systems continue to be complicated and/or inadequately expressive.  Approaches such as Role Based Access Control (RBAC) provide better ways to manage access rights by creating bundles of privileges that can be associated with tasks, but the assignment of principals to roles and the structuring of the roles themselves is still challenging.  An alternative or complementary strategy is to develop policies in terms of the attributes of principals and resources and the relationships between them.   Often the necessary attributes and relations can be found in enterprise databases.

We are developing languages and architectures that use attributes to provide a more flexible and easily-managed approach to access control than Access Control Lists (ACLs) or RBAC can provide by themselves.  One line of investigation concerns messaging systems in the form of Attribute-Based Messaging (ABM), which uses database queries as email addresses.  Another concerns database access control in the form of reflective databases, which use the contents of a database to express access rules for the database itself.  We are exploring applications of these ideas in medical information systems and as added security for multi-tier systems.  A related line of research involves the development of messaging systems that can express and adapt to policies for message exchange.

Working Projects

• ABM
• Adaptive Policy 

Background

• Attribute-Based Systems
  

This webpage is maintained by Fariba Khan.