Access control by Boolean expression evaluation

Abstract

An access control mechanism based on Boolean expression evaluation is presented. This mechanism allows the implementation of customer-specified, rather than vendor-specified, security policies. The mechanism makes it possible to easily implement such conventional mechanisms as access control lists, named access control lists, user groups, user attributes, user capability lists, and user roles. Additional access restrictions based on time, day, date, location, load average, or any customer-supplied function can be incorporated into access decisions. This mechanism can directly express Clark-Wilson triples, and it can easily implement policies that are difficult or impossible to implement using the Bell-LaPadula model.<>