Conceptualizing and Generalizing Access Control

Abstract

Access control models traditionally have been used to indicate which subjects have access to which objects. This paper conceptualizes access control in terms of information flow. A fundamental concept in this flow is that objects are "things that flow", i.e., that are received, processed, created, released, and transferred. The resulting diagrammatic description specifies the stream of flow between subjects and the system. Accordingly, security policies and constraints can be declared to control the flow in the stream. The paper gives an illustration of this flow-based description and provides examples from the security field that generalize the known access control methods.