The Graham-Denning Model is a computer security model that shows how subjects and objects should be securely created and deleted. It also addresses how to assign specific access rights. It is mainly used in access control mechanisms for distributed systems.
Contents |
This model addresses the security issues associated with how to define a set of basic rights on how specific subjects can execute security functions on an object. The model has eight basic protection rules (actions) that outline:
Moreover, each object has an owner that has special rights on it, and each subject has another subject (controller) that has special rights on it.
The model is based on the Access Control Matrix model where rows correspond to subjects and columns correspond to objects and subjects, each element contains a set of rights between subject i and object j or between subject i and subject k.
For example an action A[s,o] contains the rights that subject s has on object o (example: {own, execute}).
When executing one of the 8 rules, for example creating an object, the matrix is changed: a new column is added for that object, and the subject that created it becomes its owner.
Each rule is associated with a precondition, for example if subject x wants to delete object o, it must be its owner(A[x,o] contains the 'owner' right )
Harrison-Ruzzo-Ullman extended this model by defining a system of protection based on commands made of primitive operations and conditions.