Flexible Support for Multiple Access Control Policies

Sushil Jajodia*, Pierangela Samarati, Maria Luisa Sapino, V. S. Subrahmanian

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

466 Scopus citations


Although several access control policies can be devised for controlling access to information, all existing authorization models, and the corresponding enforcement mechanisms, are based on a specific policy (usually the closed policy). As a consequence, although different policy choices are possible in theory, in practice only a specific policy can actually be applied within a given system. In this paper, we present a unified framework that can enforce multiple access control policies within a single system. The framework is based on a language through which users can specify security policies to be enforced on specific accesses. The language allows the specification of both positive and negative authorizations and incorporates notions of authorization derivation, conflict resolution, and decision strategies. Different strategies may be applied to different users, groups, objects, or roles, based on the needs of the security policy. The overall result is a flexible and powerful, yet simple, framework that can easily capture many of the traditional access control policies as well as protection requirements that exist in real-world applications, but are seldom supported by existing systems. The major advantage of our approach is that it can be used to specify different access control policies that can all coexist in the same system and be enforced by the same security server.

Original languageEnglish (US)
Pages (from-to)214-260
Number of pages47
JournalACM Transactions on Database Systems
Issue number2
StatePublished - Jun 2001
Externally publishedYes


  • Access control policy
  • Authorization
  • H.2.7 [Database Management]: Database Administration-security, integrity, and protection
  • K.6.5 [Management of Computing and Information Systems]: Security and Protection
  • Logic programming
  • Management
  • Security

ASJC Scopus subject areas

  • Information Systems


Dive into the research topics of 'Flexible Support for Multiple Access Control Policies'. Together they form a unique fingerprint.

Cite this