This paper describes an advanced authorization mechanisms based on a logic formalism. The model supportsboth positive and negative authorizations. It also supports derivation rules by which an autoorization can be granted on the basis of the presence or absence of other authorizations. Subjects, objects and authorization types are organized into hierarchies, supporting a more adequate representation of their semantics. From the authorizations explicitly specified. additional authorizations are automatically derived by the system based o nthose hierarchies. The cobmination of all the above features results in a powerful yet flexible access control mechanism.
展开▼
