Access Control: Principles and Practice

  • It shows a logical picture of security services and their interactions during a user logging into a system.
  • Authorization (access control) should be done after authentication. Authentication service establishes the correct user identity.
  • Authentication and access control services should be audited to provide better security.
  • It is highly desirable to develop access control mechanisms that are largely independent of the policy for which they could be used.
  • The access matrix provides a conceptual model that specifies the rights (privileges) that each subject (user or program) for each object.
  • An access matrix is usually implemented as a ACL (access control list), capabilities or authorization relations.
  • There are three types of access control policies: mandatory, discretionary and role-based.


Sandhu et. al, Access Control: Principles and Practice, IEEE Communications, 1994

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s