28 International Journal of Applied Evolutionary Computation, 6(4), 28-38, October-December 2015

An Overview on Access
Control Models
Mouad Mammass, Ibn Zohr University, Agadir, Morocco
Fattehallah Ghadi, Ibn Zohr University, Agadir, Morocco

ABSTRACT
Research in the field of information security systems and access control were initiated in the early seventies
by United States Department of Defense, following the emergence of new technical, scientific and social
challenges. Since, many models of security have been set up to answer to some specific needs with more or
less accuracy in term of security. This manuscript gives a survey on the current security models with a spe-
cific classification in term of their use: Access Control, Flow Control and Administration. This manuscript
is the subject of an assessment of advantages and drawbacks of access control models cited in literature and
also the efficiency of their security policies. Finally, a presentation of the contributions of Flow Control and
Administration models that allow the reinforcement of the security.

Keywords: Access Control Models, Administration, Confidentiality, Flow Control, Integrity, Organization,
Policy, Security Models

1. INTRODUCTION
IT security has evolved following the rapid technological progress and at the same time because of
the modern social contexts. Due to that, various security models have been successfully developed
and implemented within companies or computer system. May be mentioned the models: DAC
(R.J. Feiertag 1980), MAC (C.E. Landwehr, C.L. Heitmeyer & J. McLean 1984), I-BAC (B.
Lampson 1971), R-BAC (J. Barkley 1995; S. Gavrila & J. Barkley 1998; R. E. Brooks), T-BAC
(N. Dimmock, J. Bacon, D. Ingram & K. Moody 2005), V-BAC (R. Lentzner 2004), T-MAC
(R.K. Thomas 1997) or Or-BAC (A. Abou El Kalam,, R. ElBaida, P. Balbiani, S. Benferhat, F.
Cuppens, Y. Deswarte, A. Miège, C. Saurel et G. Trouessin 2003). New models generally appear
to respond to military problems that require a high degree of confidentiality, while the problems
of civil order are more interested in ensuring the integrity.
Access control models are often declined following the main security policies: Discretionary
(discretionary access control DAC), Mandatory (mandatory access control MAC), Role-based
(role based access control R-BAC) or based on the organization (organization-based access
control Or-BAC).

DOI: 10.4018/IJAEC.2015100103

Copyright © 2015, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
 International Journal of Applied Evolutionary Computation, 6(4), 28-38, October-December 2015 29

There are also a number of combinations of these models such as T-MAC (team-based ac-
cess control) and T-BAC (task-based access control), to refine and to adapt the logical access
control depending on the environment in which it is implemented and which are more or less
adapted to the security policy of the company.
In this paper, we are interested in a more specific classification of security models, which
are: Access Control (B.W. Lampson 1974), Flow Control (D.E. Bell & L.J. Lapadula 1975) and
Administration.
In section 2, we present generalities about access control and a survey on different access
control models pointing their advantages and limitations. Section 3 is devoted to models of flow
control and at the end, section 4 presents the administration part.

2. ACCESS CONTROL
2.1. Generalities

Access control consists in verifying whether an entity requesting the access to a resource has
the rights necessary to, informally speaking “who can access to what?”
The access control is governed by three levels of abstraction:
The first one, the access control policy that defines the rights, prohibitions, audited infor-
mation as well as authorized persons to applications and data, or to change the policy of access
control. The security policy aims to ensure the confidentiality, integrity, non-repudiation and
availability. In addition, access control policies adapt over time depending of standards or regu-
lations of the company strategy.
Secondly the model of access control, the intermediary that allows to bridge the gap between
policy and implementation. The model will help to support the predefined policies.
We will see later that the DAC model gives the possibility to the resource’s owner to manage
its permissions. This model ensures data confidentiality.
And finally, the access control mechanism that allows the implementation of the predefined
security policy. To determine if a subject can read information contained in an object, the mecha-
nism can check if that permission is included in the list of access control.
And more importantly, a complete access control system have to fulfill the security require-
ments of:

• Authenticity: Authentication is the process of verifying the identity of a person or a computer

to allow access to this entity of resources. In other words, authentication is the process to
confirm the authenticity of the entity;
• Confidentiality: The ability to limit or restrict access to information and disclosure so that
only authorized users can view and manipulate sensitive information. In fact, access to vital
information should be limited only to those who have the appropriate rights, to see or use
that information;
• Integrity: Integrity of information refers to protecting information from being modified
by unauthorized entities in order to keep the consistency, reliability and relevance of the
data it contains.

The cryptography plays a major role in ensuring data integrity and this by using hash func-
tion and more methods, all this because information only has value if it’s correct.

Copyright © 2015, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
30 International Journal of Applied Evolutionary Computation, 6(4), 28-38, October-December 2015

2.2. Overview on Access Control Models

2.2.1. I-BAC Model

The I-BAC model (Identity Based Access Control) is the first model proposed in the literature
for access control and it’s the most simple (B. Lampson 1971). It introduces the fundamental
concepts of subject, object and action:

• The subject is the active entity and most often refers to a user or an application executing
for the benefit of a user;
• The object is the passive entity that refers to information or resource to which a subject can
access to perform an action;
• The action means the desired effect when a subject accesses an object (read, write, modify, etc.)

The aim of I-BAC model is to control any direct access of subjects to objects through the
use of actions. This control is based on the identity of the subject and the object identifier.
However, this model has limitations because when creating a new subject or a new object,
it is necessary to update the authorization policy in order to define new permissions associated
with that subject or object, which can be cumbersome when the number of entities is important.
While the I-BAC model can only provide rights for users represented by its applicative ac-
count, we see that the R-BAC model focuses first to group subjects based on common attributes.

2.2.2. R-BAC Model

The R-BAC model (Role Based Access Control) was introduced by David Ferraiolo and Richard
Kuhn (J.B.D Joshi, E. Bertino & A. Ghafoor 20017; R. Sandhu, E.J. Coyne, H. L. Feinstein &
C.E. Youman 1996) and proposes to structure the expression of the authorization policy around
the concepts of sessions and roles. Rather, the roles represent the relationship between subjects
and objects. So in order to perform an action on an object, the subject must have first the role
with the suitable permissions.
Roles are assigned to subjects in accordance with the function assigned to these subjects
in the organization. The basic principle of the R-BAC model is to consider that the permissions
are directly related to the roles and not to the users.
Compared to the model I-BAC, management authorization policy is so simplified that it is
not necessary to update the policy when a new subject is created.
However, the actions generally correspond to elementary commands, such as reading the
contents of an object or writing an object. But in recent applications, the need arises to control
of the achievements of composite actions, called tasks or activities.

2.2.3. T-BAC Model

The T-BAC model (Task Based Access Control (R. Thomas & R. Sandhu 1997)) was the first
model to introduce the concept of task. In other words, access is granted depending on the task,
so the access verification compares this task to the roles containing the task. In other words,
tasks can be considered as “sub-roles.”
Obviously the T-BAC model adds a huge improvement compared to R-BAC, as it gives a
certain granularity and dynamic work, but still remains an extended form of the R-BAC model.

Copyright © 2015, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
 International Journal of Applied Evolutionary Computation, 6(4), 28-38, October-December 2015 31

2.2.4. V-BAC Model

This security model proposed by SQL for relational database allows structuring objects of a
security policy and it is based on the concept of view. It will facilitate the expression and man-
agement of an authorization policy. A view is a set of access rights, which are either permissions
or prohibitions for operations on objects.
The concept of view is then used to structure the expression of an authorization policy using
GRANT (which gives new permission to a user) and REVOKE (which remove permission in
the possession of a user). So a view is an efficient way to provide access to all objects contained
in the view.
However, in recent applications, it’s often necessary to consider several organizations
simultaneously.

2.2.5. T-MAC Model

The T-MAC model (Team-Based Access Control) was developed by R.K. Thomas (C.K. Georgiadis,
I. Mavridis, G. Pangalos & R.K. Thomas 2001) to control access to the activity of collaboration
that will be better accomplished by the collaborators, hence the introduction of the concept of
team. In this model, permissions are associated with roles as well as teams, where a “team” is
an abstraction that encapsulates a collection of users with specific roles in order to accomplish
a task or a specific objective in collaboration. The permissions those subject has resulted from
the combination of permissions associated with the roles he has in the team and authorizations
on the team to which belongs the subject.

2.2.6. Or-BAC Model

Policies and security models that we presented do not take into account:

• Rules that specify permissions or contextual prohibitions;

• Rules that specify obligations or recommendations, models and policies of conventional
access control are generally limited to permissions;
• Specific rules for the organization. In particular, the organization can be structured into
several sub-organizations, each with its own security policy. The security policy should
thus provide a homogeneous framework for managing multiple security policies within the
same organization.

The Or-BAC model is the result of work carried out RNRT MP6 (RNRT 2002) project.
The objective of this model is to allow the modeling of a variety of security policies. To reach
this goal, and to reduce the complexity of managing access rights, the Or-BAC model is based
on four main principles:

• The organization is the central entity policies and security models;

• There are two levels of abstraction:
◦◦ A concrete level: subject, action, object;
◦◦ An abstract level: the role, activity, view;
• The possibility to express permissions, prohibitions, obligations and recommendations (N.
Damianou, N. Dulay, E. Lupu & M. Sloman 2001; C. Bettini, S. Jajodia, X. S. Wang & D.
Wijesekera 2002);
• The possibility to express contexts.

Copyright © 2015, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
32 International Journal of Applied Evolutionary Computation, 6(4), 28-38, October-December 2015

It is important to note that the organization is an agreement between subjects with specific
roles for forming this organization.
Figure 1 expresses that users and organizations are considered as subjects (active entities),
and can as such, play roles:
So in addition to having a security policy independent of its implementation, the Or-BAC
model takes into account contexts, hierarchies and delegation. The introduction of the concrete
and abstract levels allows structuring entities as shown in Figure 2.
There are also models that completes the access control model Or-BAC, and who strengthen
it, we mention:
Integrity-OrBAC (A. A. El Hassani, A. Abou El Kalam & A. Ait Ouahman 2012) that allows
to take into account different forms of integrity that Or-BAC can’t do, which is very important
to protect the integrity of critical infrastructures, which require a secure collaboration, audit and
secure authentification as well as reinforcing permissions, obligations and prohibitions.
PolyOrBAC (A. Abou El Kalam, Y. Deswarte, A. Baïna, M. Kaâniche 2009) which is a
security framework for critical infrastructures. It treats the vulnerabilities of information and
communication systems by offering a collaborative approach among critical infrastructure while
maintaining control over the resources and internal security policy of each critical substructure.

Figure 1. Subject organization and role

Figure 2. Schema of Or-BAC model interactions

Copyright © 2015, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
 International Journal of Applied Evolutionary Computation, 6(4), 28-38, October-December 2015 33

There is also a variant of the model Or-BAC that is Multi-OrBAC (A. Abou EL Kalam &
Yves Deswarte) (for Multi-Organization Based Access Control). This model allows to specify in
a homogeneous case, several security policies for cooperation between organization. The purpose
of this model is to provide each organization flexibility while respecting the constraints imposed
by the global security policy at the interactions between organizations.

2.3. Synthesis

As it was noted in this survey on the access control models, each model has its strengths and
limitations, and corresponds to specific activities. Figure 3 presents a synthesis of advantages
and limits of the models presented in in this study.

3. FLOW CONTROL
Access control models presented in Section 2, cannot prevent malicious actions. This does not
mean that these access control models are useless. But if we want to prevent attacks by Trojans,
it suffices to use these models to define the policy of authorization for users and trusted applica-
tion, that is to say, applications that we can guarantee without trap.
To control the execution of applications that can cause an attack, other models called flow
control models (or MAC, Mandatory Access Control) have been defined. The objective of these
models is precisely to ensure containment of applications to prevent attacks by Trojans.
As several models of MAC type for confidentiality have been defined, we present here the
most famous of them: the Bell-LaPadula model (D.E. Bell & L.J. La Padula 1973; D.E. Bell &
L.J. La Padula 1975). We then present the Biba model of MAC type for integrity (D.D. Clark
& D.R. Wilson 1987).

Figure 3. Synthesis table on access control models

Copyright © 2015, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
34 International Journal of Applied Evolutionary Computation, 6(4), 28-38, October-December 2015

Flow control models for the confidentiality and integrity are complementary: they must be
combined to ensure both the two security properties (confidentiality and integrity).

3.1. Bell-LaPadula Model (Confidentiality)

Confidentiality is one of the most important concepts to integrate into an organization that pos-
sesses sensitive information and making subject to classification by level. The reference model
in this domain is the Bell-LaPadula model (Figure 4) that was the first model of MAC type
developed by David Bell and Bell-LaPadula in 1973, to formalize the multi-level security policy
of the “US Department of Defense”.
So the authorization policy associated to subjects is simple:

• A subject has permission to read an object if its level of empowerment is greater than or
equal to the sensitivity degree of the object. This condition is called “No Read Up”;
• A subject has permission to write on an object only if the sensitivity degree of the object is
greater than or equal to the level of empowerment of the subject. This condition is called
“No Write Down”;
• A subject can only create content at its security level or above (a subject with a Secret level
can create objects with the following degrees of sensitivity: Secret and Top Secret, but not
Confidential or Unclassified).

Confidentiality is achieved by this model by limiting the number of subjects who read access
to sensitive objects at a higher level than their own.

3.2. Biba Model (Integrity)

The usual definition of mandatory access control specifies that the restrictions on the flow of
information are independent of the subject’s actions. Although this definition often refers to the

Figure 4. Example of the Bell-LaPadula model

Copyright © 2015, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
 International Journal of Applied Evolutionary Computation, 6(4), 28-38, October-December 2015 35

Bell-LaPadula model for confidentiality, several systems set up this type of control to ensure
integrity (such as banks).
The Biba model (K.J. Biba 1977; K.J. Biba 1975), called Bell-LaPadula inverted (Y.
Deswarte & L. Mé 2005), is the first model that takes into account the integrity. Indeed, Biba
noticed that confidentiality and integrity are dual concepts. Confidentiality is a constraint on
who is allowed to read the object while integrity is a constraint on who is allowed to write on
the object or change it.
Thus, in the Bell-LaPadula model, information cannot circulate to lower levels to prevent
leakage of sensitive data. Conversely, in the Biba model (Figure 5), the information cannot
migrate to higher levels (high integrity) otherwise the contaminated data (Virus, Trojan, etc ...)
from the lower levels (of low integrity) could contaminate data of higher levels.
In general, these constraints correspond to dual properties of these of Bell-LaPadula: “No
Write Up” and “No Read Down”:

• No Write Up: A subject with a defined level of security can only create content at his level
or below. In the case of contamination, the Trojan cannot attack the data with higher level
of sensitivity than the one in which the virus was installed, it is called containment;
• No Read Down: A subject can only see content at or above its level. In the case of contami-
nation, the attacker does not have the ability to control the Trojans at distance.

With constraints, the number of subjects that can change a object is limited and the objec-
tive of integrity is achieved.

4. ADMINISTRATION
The administration is the management and control of all the components of the security policy
such as users, actions, objects, roles, permissions, etc.

Figure 5. Example of the Biba model

Copyright © 2015, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
36 International Journal of Applied Evolutionary Computation, 6(4), 28-38, October-December 2015

The specification of the security policy and its update are the two most important admin-
istration tasks. Security templates are not all accompanied by a model for the administration.
The discretionary model of Harrison, Ruzzo and Ullman (HRU) (B.W. Lampson 1974; M.A.
Harrizon, W.L. Ruzzo & J.D. Ullman 1976) is the most famous administration model.
The discretionary access control (discretionary access control, DAC (B. Lampson 1971))
is a conceptual model whose principle is to limit access to objects in relation to the identity of
users (human, machine, etc ...) or groups to which they belong.
This model is based on the concept of ownership, each object (or resource) has an owner
who decides what subjects who have access to this object.
The control of an object is said discretionary in the sense that a proprietary with a predefined
access authorization can delegate to another subject the access rights (except restriction of man-
datory access control).
This type of policy has major flaws:

• The overall security policy can be compromised by a single subject if he commits an error
intentionally or not;
• At each change of entity (subject or object), you must recalculate the matrix of access control;
• A subject who is able to gain access to resources may delegate the access rights to an un-
authorized subject.

HRU is a matricial model which is defined from a set of subjects, a set of objects and a set
of rules of administration.
However, its implementation consumes lots of memory when the number of users is im-
portant, and thus the constitution and maintenance of groups are delicate because a subject can
belong to several groups. The HRU model nevertheless has the advantage of being simple to
describe, allows a simply modeling and have a decentralized policy.

5. CONCLUSION
We presented in this paper an overview on access control models by pointing their advantages
and limitations. We also presented the best known models of flow control and administration
to improve the security.
Although the model Or-BAC is the most evolved for the representation of the organizations
with the opportunity to express prohibitions, obligations and recommendations by taking into ac-
count the context, we believe that the choice of this model is dictated by companies security needs.
As perspective, we will focus on the implementation of an access control policy and adapt
it with the most suitable access control models to our case for an optimal result.

ACKNOWLEDGMENT
This work is supported by the National Center for Scientific and Technical Research (CNRST)
by an excellence scholarship (J 006/009).

Copyright © 2015, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
 International Journal of Applied Evolutionary Computation, 6(4), 28-38, October-December 2015 37

REFERENCES
A. Abou El Kalam & Yves Deswarte. Multi-OrBAC: un modèle de contrôle d’accès pour les systèmes
multi-organisationnels.
Abou El Kalam, A., Deswarte, Y., Baïna, A., & Kaâniche, M. (2009, December). PolyOrBAC: A security
framework for critical infrastructures. International Journal of Critical Infrastructure Protection, 2(4),
154–169. doi:10.1016/j.ijcip.2009.08.005
A. Abou El Kalam, R. ElBaida, P. Balbiani, S. Benferhat, F. Cuppens, Y. Deswarte, A. Miège, C. Saurel &
G. Trouessin, Or-BAC: un modèle de contrôle d’accès basé sur les organisations, Cahiers francophones
de la recherche en sécurité de l’information, Number II, 1er trimester 2003,pp30-43.
Abrams, M., Eggers, K., LaPadula, L., & Olson, I. A generalized framework for access control: An informal
description. Proceedings of the 13th National Computer Security Conference, Washington, October 1990.
T. Albain, “L’insuffisance du modèle R-BAC”, September 2011.
Barkley, J. Implementing role based access control using object technology. First ACM Workshop on Role-
Based Access Control, 1995.
Bell, D. E., & La Padula, L. J. Security computer systems. Mathematical Foundations. Hanscom AFB,
Bedford. MA. Rep. FSD-TR-73-278. vol.1 ESD/AFSC, 1973.
D.E. Bell & L.J. La Padula, Secure computer systems. Unified exposition and MULTICS interpretation,
MITRE Corp. MTR-2997, 1975.
Bettini, C., Jajodia, S., Wang, X. S., & Wijesekera, D. Obligation Monitoring in Policy Management.
International Workshop, Policies for Distributed Systems and Neworks (Policy 2002), Monterey CA, 5-7
June 2002. doi:10.1109/POLICY.2002.1011288
Biba, K. J. Integrity consideration for secure computer systems. Technical Report MTR-3153, The MITRE
Corporation, June 1975.
Biba, K. J. Integrity considerations for secure computer systems. Technical Report ESD-TR-76-372, USAF
Electronic Systems Division, Bedford, MA, April 1977.
Brooks, R. E. Role-based access control “www.rbac.com”
Clark, D. D., & Wilson, D. R. (1987). A comparison of commercial and military computer security policies.
IEEE. doi:10.1109/SP.1987.10001
Damianou, N., Dulay, N., Lupu, E., & Sloman, M. The Ponder Policy Specification Language. International
Workshop, Policies for Distributed Systems and Neworks (Policy 2001). Bristol, UK, 29-31 January 2001.
U.S. Dep. Defense, Defense trusted computer system evaluation criteria. Rep. DOD, 5200.28-STD, 1985.
Y. Deswarte & L. Mé, Traité IC2 Sécurité des réseaux et systèmes répartis, tome 2, September 2005.
Dimmock, N., Bacon, J., Ingram, D., & Moody, K. Risk models for trust-based access control (tbac). iTrust.
International conference. Paris, Springer Berlin vol.3477 No3, 2005.
El Hassani, A. A., Abou El Kalam, A., & Ait Ouahman, A. (2012). Integrity-Organization Based Access
Control for Critical Infrastructure Systems. Critical Infrastructure Protection VI. IFIP Advances in Informa-
tion and Communication Technology, 390, 31–42. doi:10.1007/978-3-642-35764-0_3
Fabien, OrBAC: Organization Based Access Control “www.orbac.org”
Feiertag, R. J. (1980). A technique for proving specification are multilevel secure. Computer Science Lab
Report, CSL-109. Menlo Park, Cal.: SRI International.
Gavrila, S., & Barkley, J. Formal specification for role based access control user-role and role-role relation-
ship management. Third ACM Workshop on Role-Based Access Control, 1998. doi:10.1145/286884.286902

Copyright © 2015, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
38 International Journal of Applied Evolutionary Computation, 6(4), 28-38, October-December 2015

C. K. Georgiadis, I. Mavridis, G. Pangalos & R. K. Thomas, Flexible Team-based Access Control Using
Contexts, 2001.
Ghadi, A. Modèle hiérarchique de contrôle d’accès d’UNIX basé sur un graphe de rôles, Thesis, January 2010.
M.A. Harrizon, W.L. Ruzzo & J.D. Ullman, Protection in operating systems. ACM, Vol.19 N. 8:461–471,
August 1976.
Joshi, J. B. D., Bertino, E., & Ghafoor, A. (2007, November). Formal foundations for hybrid role hierarchy.
ACM Transactions on Information and System Security.
A. Jumelet, Le contrôle d’accès logique: gestion des autorisations, TechNet Blogs, November 2010.
Lampson, B. Protection. 5th Princeton Symposium on Information Sciences and Systems, pages 437-443,
March 1971.
Lampson, B. W. (1974, January).. . Protection. ACM, 8(1), 18–24.
Landwehr, C. E., Heitmeyer, C. L., & McLean, J. (1984). A security model for military message system.
ACM Transactions on Computer Systems, 2(3), 198–222. doi:10.1145/989.991
R. Lentzner.,SQL 3: Initiation et Programmation, 2004.
Mammass, M., & Ghadi, F. (2014). Access Control Models: State of the Art and Comparative Study. Agadir/
Morocco. Complex Systems (WCCS), 2014 Second World Conference on Complex Systems, November
2014. doi:10.1109/ICoCS.2014.7060973
RNRT MP6 project (communication and information system models and security policies of health care
and social matters), September 2002.
Roshan, K. Thomas, Team-based access control (tmac): a primitive for applying role-based access controls
in collaborative environments. Proceedings of the second ACM workshop on Role-based access control,
pages 13–19, 1997.
Sandhu, R., Coyne, E. J., Feinstein, H. L., & Youman, C. E. (1996). Role-based access control models.
IEEE Computer, 29(2), 38–47. doi:10.1109/2.485845
Thomas, R., & Sandhu, R. Task-based Authorization Controls (TBAC): A Family of Models for Active and
Enterprise-oriented Authorization Management. 11th IFIP Working Conference on Database Security,
Lake Tahoe, California, USA, 1997.

Mouad Mammass is currently a PhD student at the Faculty of Sciences of Agadir, Morocco. His
research focuses on computer security and more specifically access control.

Fattehallah Ghadi is a professor of higher education and is currently the Vice President of Ibn
Zohr University in Agadir, Morocco. His research investigates two main areas. The first is the
analysis and research of optimal finite elements and optimal algorithms applied to problems of
fluid mechanics. The other area of his research focuses in finding optimal algorithms in graph
theory applied to several fundamental issues such as connectivity, routing and mobility.

Copyright © 2015, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.