Contributions to access controlcontinuous access and attribute-level interoperation

Résumé

Computerized access control is founded on some assumptions that limit its application in concrete environments. First of all, the standardization of access control models built on a poor understanding of access. Access has been historically considered binary in the sense that access is permitted or it is not. However, there are operations that can be executed through a variable execution level. That is the case of QoS-subjected actions, for example, where the resources put on serving an access conditions the quality of the access itself. As quality of access is, indeed, an access control regulation, the access decision could be formulated in terms of the authorized access level rather than through simple permit/deny decisions. A second assumption lies in the form in which users are related with authorization-relevant information. Authorization-relevant information are facts like who the user is, which characteristics the user has or what the user owns. However, this information may be parametrized. Uncertainty, trust, seniority or risk are just few examples. This semantics should be taken into account along the authorization process. In this thesis we present FRBAC, an access control model which breaks with this two assumptions, and we demonstrate its applicability in different scenarios, paying special attention to the multi-domain environment. We also propose a collaboration mechanism which enables the interoperation between heterogeneous access control models and it is compatible with FRBAC.