Organisation-based access control

The OrBAC access control model was first presented in 2003 in "Organization Based Access Control". The current approaches of the access control rest on the three entities: subject, action, object. So, to control the access the policy specifies that some subject has the permission to realize some action on some object.
The main goal of OrBAC is to allow the policy designer to define a security policy independently of the implementation. The chosen method to fulfill this goal is the introduction of an abstract level.
- Subjects are abstract into role. A role is a set of subjects to which the same security rule apply.
- Similarly, an activity is a set of actions to which the same security rule apply.
- And, a view is a set of objects to which the same security rule apply.

Each security policy is defined for and by an organization. Thus, the specification of the security policy is completely parameterized by the organization so that it is possible to handle simultaneously several security policies associated with different organizations. The model is not restricted to permissions, but also includes the possibility to specify prohibitions and obligations. From the three abstract entities (roles, activities, views), abstract privileges are defined. And from theses abstract privileges, concrete privileges are derived.
OrBAC is context sensitive, so the policy could be express dynamically. Futhermore, OrBAC owns concepts of hierarchy (organization, role, activity, view, context) and separation constraints. To design and implement security policies using the OrBAC model, the MotOrBAC tool has been developed. His simulation mode can be used to test a security policy. MotOrBAC also features a conflict detection function which helps the designer to find and solve conflicts.

• Mandatory Access Control - MAC
• Discretionary Access Control - DAC
• Role-Based Access Control - RBAC
• Bell-La Padula security model

OrBAC site
MotOrBAC site
OrBEE