3.1. Introduction

A computer system is typically used to store information and run programs that manipulate data. Users interact with the system by reading from and writing to files containing data, or by executing programs that perform computations with that data. The basic goals of computer security are to prevent unauthorized disclosure and unauthorized modification of data [1]. In other words, computer security mechanisms seek to preserve the confidentiality and integrity of the data stored in a computer system. Additionally, computer systems must guarantee the availability of information to authorized users. The focus of this chapter is on the part that access control has to play in preserving confidentiality and integrity.

Access control is concerned with protecting resources from unauthorized access. In particular, confidentiality is addressed by limiting the files that users can read, while integrity is addressed by limiting the files that users can modify. In its most general sense, access control may be concerned with physical objects, such as physical memory addresses or even buildings, as well as with logical objects, such as computer files. Physical memory locations are typically protected using mechanisms built into the hardware. In this chapter we do not consider the protection of physical objects. Instead, we focus on the underlying principles that are used to design access control mechanisms that are implemented in software for the protection of logical objects.

In order to implement access control, it is necessary to have an access control policy that specifies which users are authorized to access which resources. This implies that users can be identified and that their identity can be confirmed through some authentication process. Until recently, identification and authentication has been a relatively straightforward process because a “closed-world” assumption was made, that is, all users of the system are known, and any unknown user is assumed to be unauthorized. This meant that a centralized database or file of user names and authentication information could be maintained. However, the closed-world assumption is not appropriate for many modern computer systems: The users of web services and resources in a grid computing environment, for example, will not necessarily be known to the mechanisms that must protect those services and resources. In short, authentication, and hence access control, in open distributed systems becomes far more challenging.

In this chapter, we begin with a brief overview of identification and authentication techniques in both closed and open systems. We then discuss the access control policies and models that have been developed over the past 30 years for closed systems. While these models, being based on user identities, are not necessarily directly applicable to open distributed systems, much can be learned from the principles embodied in these approaches. Indeed, modern access control frameworks such as XACML employ many of the abstractions introduced up to 30 years ago. We then go on to discuss SAML and XACML, emerging standards for exchanging authentication and authorization information and for specifying and enforcing access control policies, respectively. We also discuss state-of-the-art models for access control in distributed systems such as trust negotiation and multidomain role-based access control.