| Many different access control policies and models have been developed to suit a variety of goals; these policies include Role-Based Access Control (RBAC), One-directional Information Flow, Chinese Wall, Clark-Wilson, N-person Control, and Discretionary Access Control (DAC), in addition to more informal ad hoc policies. Each of these policies has a particular area of strength, but unfortunately the wide range of goals has resulted in an substantial notational differences between these policies that is substantial. As a result, it is difficult to combine them, both in making formal statements about systems, which are based on differing models, and in using more than one access control policy model within a given system. This complicates real-world situations where organizations with differing policies combine, as well as making it difficult to formally describe the policy governing particular instances of inter-organization communication. Thus, there is a need for a unifying formalism which is general enough to encompass a range of these policies and models. As the modern theme in access control research is the separation of mechanism from policy, in this dissertation, we propose an open security architecture called the Policy Machine (PM) that comprises a General Policy Engine (PE) and General Policy Management System (GPMS) to express and enforce disparate access control policies. This research presents the Policy Machine and varies implementations that demonstrate its flexibility in capturing policies in a variety of access control models. |
