A Survey: Access Control Mechanism

Vibhu Yadav, Rahul Yadav, Himani Verma

Information Technology, NIT KKR
smartyvibhuse@gmail.com, rahulyadav7477@gmail.com, vrmhimani@gmail.com

Abstract:
Access Control is any mechanism by which a system provides the right to access some data, or perform some action.
Access control is the process of mediating every request to resources and data preserve by a system and determining
whether the request should be granted or denied. The access control decision is followed by implementing some
policies, rules and regulations which are as follows:
Access Control systems have the following properties:

File permissions, it is the permission to create, read, edit or delete files.

Program permissions include the right to execute a program on an application server.
And Data rights, include the necessary permissions required for updating data or database system.

Keywords:
Access Control Mechanism, Computer Security, DAC, MAC, RBAC.

Introduction:
Access control mechanisms are a necessary and crucial design element to any application's security or computer
security. A web application should secure data and system resources by providing access control restrictions i.e.
restricting what users can do, which resources they can access, and what are the functions they are allowed to
perform on the provided data. Ideally, an access control scheme should protect against the unauthorized or illegal
viewing, fabrication, modification, or copying of data. Additionally, access control mechanisms can also help restrict
harmful code execution, or unauthorized actions through an attacker or cracker exploiting infrastructure
dependencies (DNS server, ACE server, etc.).
Authorization and Access Control are terms often mistakenly interchanged. Authorization can be defined as the
process of checking to see if a user has the proper permissions to access a specified file or perform a particular task,
assuming that user has successfully authenticated himself. Authorization is very much credential focused and
dependent on specific rules and access control lists preset by the web application administrator(s) or data owners.
General authorization process checks involve use for membership in a particular user group, possession of a specific
clearance, or looking for that user on a resource's approved access control list, akin to a bouncer at an exclusive
nightclub. Any access control mechanism is mainly dependent on effective and forge-resistant authentication of
controls used for authorization.

Types of Access Control Mechanism:

There are various types of access control mechanism. Some of them are DAC, MAC, RBAC and Rule based.

Discretionary Access Control (DAC):

DAC is based on user discretion that is, the owner of the resource can give access rights on that resource to other
users based on his discretion. An example of DAC is ACL (Access Control List). Specifying the rwx(read ,write,
executable) permissions on a Unix file owned by you is another example of DAC Most of the operating systems
including windows, flavors of Unix are based on DAC Model
Advantages of DAC is that it, provides the flexibility of usage on information. This method will maintain the record
of authorized database which consists number of authorized and legitimate users.
Disadvantages of DAC is there is no assurance on flow of information and also there is no restriction on the usage of
information this will make the distraction on the usage of information and also information will be lost. It can be
easily attacked by third parties. There is no consistency on information. There might be the chance to steal the copy
of original message without owners permission. Sometimes it is seen that owner may change some of the DAC
policies by putting malicious program into the system.

Mandatory Access Control (MAC):

In this Model, users/owners do not enjoy the privilege of deciding who can access their files. Users wishes are
override by the operating system. In this model every Subject called as the users and Object i.e. resources are
classified and assigned with a security label. The security labels of the subjects and objects along with the security
policies determine if the subject can access a particular object or not. The rules for how subjects access objects are
made by the security officer, configured by the administrator, enforced by the operating system, and supported by
security technologies.
Advantages of MAC is that, in MAC information integrity will increase and it will avoid the movement from low
objects to high objects. This information controlling will provide us the required integrity in the data. MAC mostly
used in military and government applications.MAC provides multilevel security. Prevents from unauthorized users
from making changes. When the flow of information in the vertical order it thus provide us the multilateral security
which is security consideration of all parties. In case of MAC every access to the user will be intervene so the
information that is accessed through cloud is more secure. Here access is authorized or restricted to objects based on
the time of day depending on the security level on the resource and user credential. If we talk about Scalability
factor which is lower in MAC and also it wont be able to adapt to all type of applications.
Disadvantages of MAC is that, once the security level is identified to particular subject in the hierarchy it wont
modify the security level.

Role Based Access Control (RBAC):

RBAC is a very common word across enterprises nowadays. In this model the access to a resource is governed
based on the role that the subject holds within an organization. RBAC is also called as non-discretionary Access
Control because the user inherits privileges that are tied to his role. The user does not have a control over the role
that he will be assigned. Each of the above Access Models has both advantages and disadvantages. The selection of
the appropriate Access Model by an organization should be done by considering various factors such as type of
business, no of users, organizations security policy etc.

s
Fig: DAC, MAC and RBAC (reference from Cloud Audit).

Rule Based Access Control Mechanism:

Rule Based Access Control mechanism (RBAC) introduces ambiguity in the understanding of access control
mechanism. It uses the same four letter abbreviation (RBAC) as Role Based Access Control. Under Rules Based
Access Control Mechanism, access is allowed or denied to a particular resource objects based on a set of rules and
regulations defined by a system administrator. In case of Discretionary Access Control, all the access properties are
stored in a list which is called as Access Control Lists (ACL) associated with each resource object. When a
particular account or group tries to access a resource, the operating system checks the rules and regulations
contained in the ACL for that particular object which the user is trying to access it.
Examples of Rules Based Access Control include situations such as permitting access for an account or group to a
network connection at certain hours of the day or days of the week. As with MAC, access control cannot be changed
by users. All access permissions are controlled solely by the system administrator.

Figure: Role Based Model

Chinese wall policy

Brewer and Nash identified the Chinese wall policy [BN89] to address conflict-of-interest issues related to
consulting activities within banking and other financial disciplines. The Chinese wall policy is application-specific
in which it applies to a narrow set of activities that are tied to specific business activities i.e. transactions. For
example, consultants naturally are given access to proprietary information to provide a service for their clients.
When a consultant acquire knowledge amounting to insider information, and that knowledge can be used outside the
organization, thus undermining the competitive advantage of one or both institutions, or used for personal gains. The
motto of the Chinese wall policy is to prevent illicit flows of information that can result in conflicts of interest.

Clark and Wilson model

The primary objective of the Clark and Wilson model [CW87] is the prevention of fraud and error in commercial
systems. Fraud is typically achieved by unauthorized modification of information, while error typically causes
inconsistency of information. Both these concerns can be addressed by enforcing integrity policies. The ClarkWilson model formalizes two basic principles for achieving information integrity: well-formed transactions and
separation of duty.
The concept of well-formed transactions is that manipulation of data by a principal must be constrained such that its
integrity is not violated. A very common and effective mechanism employed in accounting is double entry
bookkeeping. The idea behind is to record every single transaction twice i.e. once in a book for credit and once in a
book for debit. A later balance check would reveal us the information regarding the discrepancies if any entry were
not recorded correctly. The intention of well-formed transactions is to ensure the internal consistency and accuracy
of the data.
The principle of separation of duty is that, it attempts to ensure external consistency where the data in the system
reflect the real-world entities they represent, e.g. when a payment is recorded on the account as the fulfillment of a
purchase, and then there was indeed such a purchase, not a fraud. The correspondence to external entities is often

abstract and hard to verify directly. The idea of separation of duty is to indirectly verify the correspondence to realworld entities by dividing a task among several principals. Provided these principals do not conspire, this
mechanism should prevent both fraud and error.

Conclusion:
Access control is a major research area which will enhance the security on users data that are stored in cloud
environment. Ensuring access control enhances the security. We have analyzed various access control mechanism
that are used in previous and current. A comprehensive and description and analysis of DAC, MAC and RBAC
provide the importance of access control to ensure the security of users information. In this study we have analyzed
the various access control technique that are popularly used such as DAC, MAC, RBAC, etc. Access control is
based on the above mechanism basically and performance also compared based on the user satisfaction. But in the
large distributed system like and grid needs more flexible and scalable access control. The advantage and
disadvantage of various access control technology discussed with their performance. The traditional access control is
DAC, MAC and RBAC and related access control technologies also discussed further. This survey ensures the need
of security of user and authentication need of user and security of cloud information by providing enhanced access
control technology. The main contribution of this paper is to understand the various access control mechanisms in
cloud.

References:
[1] Punithasurya K and Jeba Priya S Analysis of Different Access Control Mechanism in Cloud
[2] Ravi S. Sandhu and Pierangela Samarati Access Control: Principles and Practice IEEE Communications
Magazine, September 1994.
[3] Yingjie Xia, Li Kuang and Mingzhe Zhu A Hierarchical Access Control Scheme in Cloud using HHECC
Information Technology Journal 9 (8): 1598-1606, 2010
[4] Hazen A.Weber Role Based Access Control: The NIST solution San Institute of Info Reading Room, October
3, 2008.
[5] Joon S.Park, Gail-Joon Ahn, Ravi Sandhu Role-based Access control on the web using LDAP
[6] Yan Zhu, Hongxin Hu, Gail-Joon Ahn, Dijiang Huang, Shanbiao Wang, Towards Temporal Access Control in
Cloud Computing,
[7] G. Ahn, R. Sandhu. Role-based authorization constraint specification. ACM Trans. Inf. Syst. Sec. 3, 4 (Nov.),
2000.