Criteria Specifications for the Comparison and Evaluation of Access Control Models

Full Text (PDF, 468KB), PP.19-29

Views: 0 Downloads: 0


Shabnam Mohammad Hasani 1,* Nasser Modiri 1

1. Department of Computer, Zanjan Branch, Islamic Azad University, Zanjan, Iran

* Corresponding author.


Received: 4 Jun. 2012 / Revised: 22 Oct. 2012 / Accepted: 6 Jan. 2013 / Published: 8 Apr. 2013

Index Terms

Access Control Models, Criteria, Evaluation, Information Security


Nowadays, information systems cover all-important aspects of people's life, and computer applications are vastly used in widespread fields from medicine to military sector. Because of considerable dependence on computer-based systems, the security of the information saved in these systems is of great concern, and therefore, the complexity of data protection and availability of many modern systems are increasing. Access control is considered as the core of information security and the center of data protection and availability of needs. In the organizations, whose operations require the share of digital resources with different degrees of sensitivity, such an access control is crucially required. Considering the diverse structure, requirements, and specifications of an organization, and taking into account that access control policies and models are available in diverse forms, it is required to select and implement an appropriate access control model consistent with the security requirements of the related organization in order to achieve the best results and minimum access risks and threats. In this paper, the main and most important criteria in the different access control models are evaluated and finally, the most appropriate model is introduced for implementation based on the security policies and requirements of organizations and the specifications of each access control model.

Cite This Paper

Shabnam Mohammad Hasani, Nasser Modiri, "Criteria Specifications for the Comparison and Evaluation of Access Control Models", International Journal of Computer Network and Information Security(IJCNIS), vol.5, no.5, pp.19-29, 2013. DOI:10.5815/ijcnis.2013.05.03


[1]D.Hau,"Unauthorized Access –Threats, Risk, and Control", Global Information Assurance Certification Paper,SANS institude, GSEC Practical Assignment, Version 1.4b, Option 1, July 11, 2003.
[2]M. Bishop,Computer Security:Art and Science, Boston: Addison-Wesley, 2003.
[3]D. Bell and L. LaPadula,"Secure Computer System: Unified Exposition and Multics Interpretation", TR M74-244, March 1976.
[4]G.D. Wurster, "Security Mechanisms and Policy for Mandatory Access Control in Computer Systems", doctor of philosophy Thesis, Carleton University Ottawa, Ontario, Canada,2010.
[5]David F.C. Brewer and Michael J. Nash, "The Chinese Wall Security Policy", IEEE symposium on research in security and privacy, 1-3 may 1989.
[6]S.Vivy, "A Survey on Access Control Deployment", Communications in Computer and Information Science ,2011.
[7]S. Suraj, "Design of Access Control Policy Checker (ACPC)", MS thesis, Department of Computer Science and Engineering , National Institute of Technology Rourkela, Rourkela-769 008, Orissa, India, May 2009.
[8]A. Ryan, "Methods for Access Control: Advances and Limitations", (unpublished)
[9]N.zhang, "Generating Verified Access Control Policies Through Model-Checkinga",Doctor of philosophy Thesis,2005.
[10]S. Pierangela and S. Vimercati," Access Control: Policies, Models, and Mechanisms" ,Foundation of Security Analysis and Design, Lecture Notes in computer science,Volume 2171,pp 137-196-2001.
[11]F.M. Kugblenu and M. Asim, Separation of Duty in Role Based Access Control System: A Case Study, MS Thesis ,Thesis no: MCS-2006:16, January 2007.
[12]A.H. Chinaei, "Access Control Administration With Adjustable Decentralization", Doctor of Philosophy Thesis, Waterloo, Ontario, Canada, 2007.
[13]C. Hu. Vincent, D.F. Ferraiolo and D. Ri. Kuhn, "Assessment Of Access Control Systems", Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 ,September 2006 .
[14]Z., Saad, 'Integration of Access Control Requirements into System Specfications', MS thesis, School of Information and Communication Technology Griffith University, April, 2008.
[15]S. Pierangela and S. Ravi, "Access Control Principles and Practice",IEEE Communication magazine,September 1994.
[16]H.A. Weber ,SANS Institute InfoSec Reading Room, "Role-Based Access Control: The NIST Solution", 2003.
[17]M.Ben.Ghorbel-Talbia,F.Cuppensa,N.Cuppens Boulahiaa and A. Bouhoulab," Managing Delegation in Access Control Models,IEEE,2007.
[18]Md. Moniruzzaman and K.Barker, "Delegation Of Access Rights In A Privacy Preserving Access Control Model".
[19]S. Vimercati1, S. Pierangela, and J. Sushil, Policies, Models, and Languages for Access Control, Springer,2005.
[20]M. Kirkpatrick1 and E.Bertino," Context-Dependent Authentication And Access Control".