A purpose-oriented access control model for object-based systems

Abstract

Distributed applications are modelled in an object-based model like CORBA. Here, the system is a collection of objects. The objects are manipulated only through operations supported by themselves. The purpose-oriented model is proposed where an access rule shows for what each subject s manipulates an object o by an operation t of o so as to keep the information flow legal. The purpose of s to access o by t is modelled to be what operation u of s invokes t to manipulate o. That is, the purpose-oriented access rule is specified in the form (s:u, o:t). In the object-based system, on receipt of a request op from an object o/sub 1/, an object o/sub 2/ computes op and then sends back the response of op to o/sub 1/. Here, if the request and the response carry data, the data in o/sub 1/ and o/sub 2/ is exchanged among o/sub 1/ and o/sub 2/. Furthermore, the operations are nested in the object-based system. Even if each purpose-oriented rule between a pair of objects satisfies the information flow relation, some data in one object may illegally flow to another object through the nested invocation of operations. In this paper, we discuss what information flow is legal in the nested invocations in the purpose-oriented model of the object-based system.